US State Privacy Laws: Data Access Rights Compared
There is no federal US privacy law. Instead, over 20 states have enacted their own consumer privacy legislation — each with different deadlines, rights, thresholds, and enforcement mechanisms. This guide compares them and explains what they mean for data access request processing and redaction.
State privacy law comparison table
The table below covers every US state with a comprehensive consumer privacy law in effect or enacted as of March 2026. All laws grant consumers a right to access their personal data. The key differences are in response deadlines, applicability thresholds, and enforcement.
| State | Law | Effective | Access deadline | Extension | Enforcer | Max penalty |
|---|---|---|---|---|---|---|
| California | CCPA/CPRA | Jan 2020 / Jan 2023 | 45 days | +45 days | CPPA + AG | $7,500/violation |
| Virginia | VCDPA | Jan 2023 | 45 days | +45 days | AG | $7,500/violation |
| Colorado | CPA | Jul 2023 | 45 days | +45 days | AG | $20,000/violation |
| Connecticut | CTDPA | Jul 2023 | 45 days | +45 days | AG | $5,000/violation |
| Utah | UCPA | Dec 2023 | 45 days | +45 days | AG | $7,500/violation |
| Texas | TDPSA | Jul 2024 | 45 days | +45 days | AG | $25,000/violation |
| Oregon | OCPA | Jul 2024 | 45 days | +45 days | AG | $7,500/violation |
| Montana | MCDPA | Oct 2024 | 45 days | +15 days | AG | Unspecified |
| Delaware | DPDPA | Jan 2025 | 45 days | +45 days | AG | $10,000/violation |
| Iowa | ICDPA | Jan 2025 | 90 days | None | AG | $7,500/violation |
| New Hampshire | NHPA | Jan 2025 | 45 days | +45 days | AG | $10,000/violation |
| New Jersey | NJDPA | Jan 2025 | 45 days | +45 days | AG | $10,000/$20,000 |
| Nebraska | NDPA | Jan 2025 | 45 days | +45 days | AG | $7,500/violation |
| Tennessee | TIPA | Jul 2025 | 45 days | +45 days | AG | $7,500/violation |
| Minnesota | MCDPA | Jul 2025 | 45 days | +45 days | AG | $7,500/violation |
| Maryland | MODPA | Oct 2025 / Apr 2026 | 45 days | +45 days | AG | $10,000/$25,000 |
| Indiana | INCDPA | Jan 2026 | 45 days | +45 days | AG | $7,500/violation |
| Kentucky | KCDPA | Jan 2026 | 45 days | +45 days | AG | $7,500/violation |
| Rhode Island | RIDTPPA | Jan 2026 | 45 days | +45 days | AG | $10,000/violation |
No federal privacy law
The United States remains without a comprehensive federal consumer privacy law as of March 2026. The American Data Privacy and Protection Act (ADPPA) and American Privacy Rights Act (APRA) both stalled in Congress due to disagreements over federal preemption of state laws and whether consumers should have a private right of action. With no federal baseline, businesses operating nationally must comply with the patchwork of state laws independently.
For businesses that handle consumer data across multiple states, this creates a practical choice: comply with the most restrictive state law (typically California) and apply those standards nationally, or build jurisdiction-specific processes that apply different standards based on the consumer's state of residence. Most privacy professionals recommend the former approach, as it simplifies operations and future-proofs against new state laws that may be more restrictive than current ones.
The five states that matter most
While 20+ states have privacy laws, five drive the majority of compliance activity due to their population size, enforcement resources, and regulatory ambition.
California (CCPA/CPRA)
California has the strongest privacy law in the country. The CCPA, as amended by CPRA, is the only state law with a dedicated enforcement agency — the California Privacy Protection Agency (CPPA) — in addition to the Attorney General. It is also the only state law that gives consumers a private right of action for data breaches. In January 2026, major new regulations took effect covering automated decision-making technology (ADMT), mandatory risk assessments, and phased cybersecurity audits. Penalties are assessed per consumer, per violation, with no aggregate cap — making systematic violations potentially catastrophic. For a detailed breakdown, see our CCPA DSAR guide.
Virginia (VCDPA)
Virginia was the second state to enact a comprehensive privacy law, and its framework has become the template for most subsequent state laws. The VCDPA uses an opt-out model (personal data can be collected without affirmative consent, but consumers can opt out of sale, targeted advertising, and profiling). Virginia does not have a private right of action — enforcement is exclusively through the Attorney General. The AG has a 30-day cure period before enforcement, giving businesses an opportunity to remedy violations. Virginia's law applies to businesses that process data on 100,000+ Virginia residents, or 25,000+ if they derive over 50% of revenue from data sales.
Colorado (CPA)
Colorado's Privacy Act is notable for its universal opt-out mechanism requirement — businesses must honour browser-based opt-out signals (such as Global Privacy Control) as valid consumer opt-out requests. This means consumers do not need to visit each website individually to exercise their opt-out rights. Colorado also requires data protection assessments for processing activities that present a heightened risk of harm. The AG has enforcement authority with penalties up to $20,000 per violation, one of the higher penalty thresholds among state laws.
Texas (TDPSA)
Texas is the second-largest state by population with a comprehensive privacy law, making it significant by sheer volume of covered consumers. The Texas Data Privacy and Security Act carries the highest per-violation penalty at $25,000. While it follows the Virginia-style opt-out model, Texas's AG office has signalled aggressive enforcement, particularly around data broker compliance and deceptive consent practices. Small businesses are largely exempt, but any business processing personal data of Texas residents at scale should treat TDPSA compliance as a priority.
Connecticut (CTDPA)
Connecticut was the fifth state to enact a comprehensive privacy law and is considered one of the more consumer-friendly frameworks after California. The CTDPA includes a provision for universal opt-out signals (similar to Colorado), requires data protection assessments, and does not include a permanent cure period — the initial 60-day cure provision expired on January 1, 2025. This makes Connecticut one of the stricter enforcement environments outside California, as the AG can now pursue violations without giving businesses an opportunity to remedy first.
Common consumer rights across all states
Despite differences in deadlines and enforcement, every US state privacy law grants consumers the same core set of rights. Understanding these rights is essential because a single consumer request may invoke multiple rights simultaneously.
Right to know / access — consumers can request a copy of the personal data a business holds about them. This is the DSAR equivalent. Every state includes this right.
Right to delete — consumers can request deletion of their personal data. Most states include exceptions for data needed to complete transactions, comply with legal obligations, or detect security incidents. Iowa is the only state that does not include a general right to delete data collected by the controller.
Right to correct — consumers can request correction of inaccurate personal data. Added by CPRA in California and included in most laws enacted after 2022. Not included in Iowa or Utah.
Right to opt out — consumers can opt out of the sale of personal data, targeted advertising, and/or profiling. The scope varies: California covers sale, sharing, and sensitive data use. Most other states cover sale and targeted advertising. Some states require businesses to honour universal opt-out signals (browser-based signals like Global Privacy Control).
Right to data portability — consumers can request their data in a portable, commonly used format. Included in most laws, though the practical standard for "portable format" varies.
Why redaction is required in every state
No US state privacy law explicitly uses the word "redaction" — but every law requires it in practice. When a consumer exercises their right to access, the business must provide their personal data without disclosing the personal data of other individuals. This means any document included in an access response that contains third-party personal information must have that information permanently removed before disclosure.
This applies regardless of jurisdiction. Whether you are responding to a California consumer under CCPA, a Virginia resident under VCDPA, or a Texas resident under TDPSA, the redaction obligation is the same: identify and remove all third-party PII while preserving the requesting consumer's data. The legal basis differs — California frames it as avoiding "adversely affecting the rights and freedoms of other consumers," while Virginia references the obligation not to disclose data of other individuals — but the practical requirement is identical.
For organisations processing access requests at scale, this means the redaction workflow does not change by state. The same detection pipeline, the same review process, and the same export format apply whether the deadline is 45 days or 90 days. What changes is the deadline, the disclosure requirements (some states require more supplementary information than others), and the enforcement risk if you get it wrong.
The trend toward harmonisation
The fragmented patchwork is slowly converging. Virginia's VCDPA has become the de facto template — Indiana, Kentucky, Tennessee, and at least five other states modelled their laws directly on Virginia's framework. This means that for most practical purposes, a business compliant with Virginia and California is compliant with the majority of state laws.
The 45-day response deadline has become the standard. The opt-out consent model (as opposed to the opt-in model used in the EU) is universal across US states. Applicability thresholds cluster around 100,000 consumers or 25,000 consumers with 50%+ revenue from data sales. Enforcement is almost exclusively through state Attorneys General, with California being the sole exception with its dedicated agency.
For businesses building compliance programmes, the practical recommendation is: build to the California standard for rights handling (the most comprehensive), apply the 45-day deadline universally, and maintain jurisdiction-specific documentation for the supplementary information required in each state's access response format. The redaction step is identical regardless of jurisdiction — automate it once and apply it everywhere.
2026 developments to watch
California ADMT regulations (January 1, 2027) — Businesses using automated decision-making for significant decisions must provide pre-use notices, offer opt-out rights, and include ADMT information in access request responses. This creates a new category of data that must be included in DSAR fulfillment.
California cybersecurity audits (phased from April 2028) — Mandatory independent annual audits for businesses whose processing presents significant risk. Systems used for DSAR processing are within scope. Phased by revenue tier through 2030.
Connecticut cure period expiration — The 60-day cure provision expired January 1, 2025, making Connecticut one of the strictest enforcement environments. The AG can now pursue violations without offering businesses an opportunity to remedy first.
Maryland MODPA enforcement (April 2026) — Maryland's law includes the lowest applicability threshold at 35,000 consumers, broadening the scope of covered businesses. It also includes the strongest data minimisation requirements among US states.
Federal legislation — While no federal law is expected in 2026, ongoing discussions in Congress mean businesses should design compliance programmes that are adaptable to a potential federal standard. Building to the California standard provides the best hedge.
Need to process a data access request?
SafeRedact Enterprise handles bulk document redaction with selective PII preservation and zero data retention. Same workflow regardless of jurisdiction.
Learn about Enterprise →Frequently asked questions
How many US states have comprehensive privacy laws?
As of March 2026, over 20 states have enacted comprehensive consumer privacy laws. Three new laws — Indiana, Kentucky, and Rhode Island — took effect on January 1, 2026. Additional states are expected to enact laws in the coming years, though the pace has slowed as more states adopt existing frameworks rather than drafting from scratch.
Do US state privacy laws require redaction of third-party data?
Yes. When fulfilling a consumer data access request, businesses must avoid disclosing personal information about other individuals. This means third-party personal data must be permanently redacted from any documents included in the response, regardless of which state law applies.
What is the typical response deadline for a data access request under US state privacy laws?
Most US state privacy laws require a response within 45 days, with an extension of up to 45 additional days for complex requests. Iowa is the outlier at 90 days with no extension. California allows 45 days + 45 days. The extension must be communicated to the consumer within the original deadline period, with a reason provided.
Is there a federal US privacy law?
No. As of 2026, the United States has no comprehensive federal privacy law. The American Data Privacy and Protection Act (ADPPA) and American Privacy Rights Act (APRA) both stalled in Congress. Compliance depends entirely on state-level requirements, and businesses operating nationally should build to the California standard as the most comprehensive baseline.