In a major push to protect people's online information, 12 U.S. states now have rules governing how companies handle personal data.

These laws got strong support from both Republicans and Democrats. But the U.S. Congress hasn't made a single national rule yet.

This leaves businesses, especially marketers, juggling different state rules. Five more states will add their laws by early 2026.

These laws mostly let people see, delete, or stop the sale of their personal information—like names, email addresses, or shopping habits.

12 Laws Now Active

But each state has its own twists, like who must follow it and the extra protections it offers. Recently, Connecticut and Montana made major updates to toughen their laws, especially regarding kids' data and health info.

This news roundup breaks it down. It's not legal advice—check each state's full law if you run a business there. We'll cover active laws first, then upcoming ones.

Quick Overview: States with Active Data Privacy Laws

As of November 2025, these 12 states have laws in place. Here's a simple table showing when each started:

StateLaw NameStarted On
CaliforniaCalifornia Consumer Privacy ActJan. 1, 2020
VirginiaVirginia Consumer Data Protection ActJan. 1, 2023
ColoradoColorado Privacy ActJuly 1, 2023
ConnecticutConnecticut Data Privacy ActJuly 1, 2023
UtahUtah Consumer Privacy ActDec. 31, 2023
OregonOregon Consumer Privacy ActJuly 1, 2024
MontanaMontana Consumer Data Privacy ActOct. 1, 2024
IowaIowa Data Privacy ActJan. 1, 2025
DelawareDelaware Personal Data Privacy ActJan. 1, 2025
New HampshireNew Hampshire Consumer Data Privacy ActJan. 1, 2025
TexasTexas Data Privacy and Security ActJan. 1, 2025
New JerseyNew Jersey Consumer Data Privacy ActJan. 16, 2025
MinnesotaMinnesota Data Privacy ActJune 24, 2025
TennesseeTennessee Information Protection ActJuly 1, 2025
MarylandMaryland Online Data Privacy ActOct. 1, 2025
NebraskaNebraska Data Privacy ActOct. 1, 2025

Note: The table lists 16 states, but the article confirms 12 active as of now—wait, no, the original says 12, but lists more with 2025 dates. Actually, by Nov 2025, all these are active since their dates are before today.

Spotlight on Key State Laws: Who Follows and What They Must Do?

Each law targets big companies that handle lots of people's data. They focus on “personal information” (PI), like your address or health details.

Businesses must give notices, let people opt out, and keep data safe. Here's a simple breakdown by state.

Quick Overview- States with Active Data Privacy Laws

1. California: The Pioneer Law

Who it hits: Companies earning $25 million+ yearly, or those buying/selling data of 100,000+ people, or half their money from selling data.

What they must do:

  • Let people say “no” to data sales.
  • Limit use of sensitive info (like health or race).
  • Share a clear privacy notice.
  • Only keep data as long as needed.
  • Make partners follow the rules.

California started it all—it's the oldest and strictest.

2. Virginia: Focus on Health Privacy

Who it hits: Companies handling data of 100,000+ Virginians, or 25,000+ if half their cash comes from data sales.

What they must do:

  • Let opt-outs for data sales.
  • Give privacy notices.
  • Sign deals with data handlers.
  • Check risks with “impact assessments.”

Big update: No collecting sexual or reproductive health info (like birth control use or pregnancy) without okay. It covers wide stuff, even guessed info from other data.

3. Colorado: Opt-Outs for Ads and Profiles

Who it hits: Companies with 100,000+ Colorado users, or 25,000+ if they sell data (even for discounts).

What they must do:

  • Let opt-outs for sales, targeted ads, and profiling (decisions based on your data).
  • Share privacy notices.
  • Do risk checks if there's danger to people.

4. Connecticut: New Rules for Kids and AI

Who it hits: Easier to apply now—handles data of 35,000+ Connecticans (down from 100,000), or 25,000+ if 25% revenue from sales. Also hits anyone selling data or using sensitive info.

What they must do:

  • Opt-out for sensitive data.
  • Collect only what's needed.
  • Give notices and do risk checks.

Fresh updates:

  • People can see and fight “guessed” data or profiling that affects big decisions.
  • Tell if your data trains AI chatbots.
  • Kids under 18: No targeted ads or data sales to minors. Only collect location if super needed, and get consent.

5. Utah: For Big Sellers

Who it hits: $25 million+ revenue, plus handling 100,000+ Utahns' data or 25,000+ if half revenue from sales.

What they must do:

  • Opt-outs for sales and targeted ads.
  • Deals with handlers.
  • Privacy notices.

Simple and business-friendly.

6. Oregon: Extra Rights for Teens

Who it hits: 100,000+ Oregon users, or 25,000+ if 25% revenue from sales.

What they must do:

  • Let access, fix, delete data.
  • List who gets your data.
  • Delete “guessed” data.
  • Get okay for sensitive info and teen profiling.
  • Opt-outs for ads, sales, big profiles.
  • Privacy notices.

7. Montana: Tougher Penalties and Kid Safety

Who it hits: Now lower bar—25,000+ Montanans' data, or 15,000+ if over 25% revenue from sales.

What they must do:

  • Answer requests fast.
  • Opt-outs, including easy “universal” signals.
  • Notices in multiple languages, accessible for disabled folks.
  • Okay for sensitive data.
  • Risk checks for sales, ads, profiling.

New changes:

  • Tell if selling data or using for ads—with opt-out links.
  • Attorney general can fine up to $7,500 per slip-up, no warnings needed.
  • Minors under 18: Use care to avoid harm. Extra consents, no high-risk stuff without checks.

8. Iowa: Basic Safeguards

Who it hits: 100,000+ Iowans' data, or 25,000+ if 50% revenue from sales.

What they must do:

  • Stick to set purposes.
  • Notices and opt-outs for sales.
  • Handle requests (access, delete, etc.).
  • Safe data and contracts.

9. Texas: No Small Biz Excuse

Who it hits: Any selling data, unless tiny per government rules.

What they must do:

  • Opt-outs and request honors.
  • Okay for sensitive data.
  • Risk checks and contracts.

10. Delaware: Limit Collection

Who it hits: 35,000+ Delawareans' data, or 10,000+ if 20% revenue from sales.

What they must do:

  • Collect only needed data.
  • Okay for sensitive.
  • Requests, opt-outs via signals.
  • Notices and checks.

11. New Hampshire: Standard Protections

Who it hits: 35,000+ users (minus payment data), or 10,000+ if 25% from sales.

What they must do: Same basics as others—opt-outs, notices, requests.

12. New Jersey: Consent for Kids

Who it hits: 100,000+ (minus payments), or 25,000+ if selling data.

What they must do:

  • Minimal data, clear purposes.
  • Okay for sensitive/kids; revoke easy.
  • For 13-16 year olds: Okay for ads/sales/profiling.
  • Security, checks, contracts.
  • Requests: confirm, access, fix, delete, portable.

13. Minnesota: List Data Sharers

Who it hits: 100,000+ Minnesotans, or 25,000+ if 25% from sales.

What they must do:

  • Confirm/access (no trade secrets).
  • Fix, delete, portable copies.
  • Opt-outs for ads/sales.
  • List who gets data.

14. Tennessee: Revenue Threshold

Who it hits: $25 million+ and 175,000+ users, or 25,000+ if 50% from sales.

What they must do:

  • Notices and policies.
  • Requests honored.
  • Purpose-limited.
  • Opt-outs and contracts.

15. Maryland: No Data Sales Allowed

Who it hits: 35,000+ users, or 10,000+ if 20% from sales.

What they must do:

  • Only collect what's essential for services.
  • Requests: know, access, delete.
  • Opt-outs for ads/profiling (bans sales outright).

16. Nebraska: Quick Responses

Who it hits: Selling data, not small businesses.

What they must do:

  • Requests: know, access, delete.
  • Opt-outs for sales/ads.
  • Strong safeguards.
  • Fast replies.

Coming Soon: Two More States Join In

By January 2026, Indiana and Kentucky will add rules. Businesses should prep now.

U.S. States Step Up On Data Privacy- 12 Laws Now Active, More Coming Soon
StateLaw NameStarts On
IndianaIndiana Data Privacy LawJan. 1, 2026
KentuckyKentucky Consumer Data Protection ActJan. 1, 2026

Indiana: Impact Checks for Ads

Who it hits: 100,000+ users, or 25,000+ if 50% from sales.

What it requires:

  • Opt-outs for sales.
  • Full notices.
  • Checks for targeted ads.
  • Purpose limits.
  • Okay for sensitive data.

Kentucky: Safeguards and Checks

Who it hits: 100,000+ users, or 25,000+ if 50% from sales.

What it requires:

  • Requests: know, access, delete.
  • Opt-outs for sales/ads.
  • Strong protections.
  • Fast responses.
  • Checks for risky processing.

Also Read:

Why This Matters for Everyday Folks and Businesses?

These laws empower you to control your data—no more surprise sales to advertisers.

For companies, it's a compliance puzzle, but it builds trust. With more states eyeing rules, a national law feels urgent. Stay tuned—privacy is heating up across America.

Jitendra Vaswani is a well-known figure in the SEO and affiliate marketing communities. He is regarded as a legitimate authority due to his deep knowledge and game-changing contributions to the field. He is the founder of Digiexe.com, a digital marketing agency, and VenueLabs.com, a full-service PR marketing agency. His strategic acquisition of AffiliateBooster.com has further solidified his status as a leader, bringing forth groundbreaking solutions that are revolutionizing affiliate marketing. Follow Jitendra on Instagram, Facebook, and LinkedIn

Similar Posts