Data Subject Rights
| State | Access | Obtain list of specific third parties | Data portability | Delete | Correct | Opt-out of sale | Opt-out of targeted advertising | Opt-out of Profiling / ADMT | Sensitive Data (opt-in, opt-out, limit use, strictly necessary) | No discrimination | Right to appeal denial | Authorized agents | Opt-out signals | Days to respond to requests | Verify identity of requesting consumer |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| California | ✓ | ✖ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | Limit Use | ✓ | ✖ | ✓ | ✓ | 15 business days for requests to opt-out and limit use; 45 calendar days for other requests | ✓ |
| Virginia | ✓ | ✖ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | Opt-In | ✓ | ✓ | ✖ | ✖ | 45 calendar days | ✓ |
| Colorado | ✓ | ✖ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | Opt-In | ✓ | ✓ | ✓ | ✓ | 45 calendar days | ✓ |
| Connecticut | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | Opt-In | ✓ | ✓ | ✓ | ✓ | 45 calendar days | ✓ |
| Utah | ✓ | ✖ | ✓ | ✓ | ✖ | ✓ | ✓ | ✖ | Opt-Out | ✓ | ✖ | ✖ | ✖ | 45 calendar days | ✓ |
| Texas | ✓ | ✖ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | Opt-In | ✓ | ✓ | ✓ | ✓ | 45 calendar days | ✓ |
| Florida1 | ✓ | ✖ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | Opt-In | ✓ | ✓ | ✖ | ✖ | 45 calendar days | ✓ |
| Oregon | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | Opt-In | ✓ | ✓ | ✓ | ✓ | 45 calendar days | ✓ |
| Montana | ✓ | ✖ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | Opt-In | ✓ | ✓ | ✓ | ✓ | 45 calendar days | ✓ |
| Nebraska | ✓ | ✖ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | Opt-In | ✓ | ✓ | ✓ | ✓ | 45 calendar days | ✓ |
| Iowa | ✓ | ✖ | ✓ | ✓ | ✖ | ✓ | ✓ | ✖ | Opt-Out | ✓ | ✓ | ✖ | ✖ | 90 calendar days | ✓ |
| Delaware | ✓ | ✖ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | Opt-In | ✓ | ✓ | ✓ | ✓ | 45 calendar days | ✓ |
| New Hampshire | ✓ | ✖ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | Opt-In | ✓ | ✓ | ✓ | ✓ | 45 calendar days | ✓ |
| New Jersey | ✓ | ✖ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | Opt-In | ✓ | ✓ | ✓ | ✓ | 45 calendar days | ✓ |
| Tennessee | ✓ | ✖ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | Opt-In | ✓ | ✓ | ✖ | ✖ | 45 calendar days | ✓ |
| Minnesota | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓2 | Opt-In | ✓ | ✓ | ✓ | ✓ | 45 calendar days | ✓ |
| Maryland | ✓ | ✖3 | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | Strictly Necessary for Product or Service / No Sale3 | ✓ | ✓ | ✓ | ✓ | 45 calendar days | ✓ |
| Indiana | ✓ | ✖ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | Opt-In | ✓ | ✓ | ✖ | ✖ | 45 calendar days | ✓ |
| Kentucky | ✓ | ✖ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | Opt-In | ✓ | ✓ | ✖ | ✖ | 45 calendar days | ✓ |
| Rhode Island | ✓ | ✖ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | Opt-In | ✓ | ✓ | ✓ | ✖ | 15 calendar days for revocation of consent; 45 calendar days for other requests | ✓ |
Data Controller Obligations
| State | DPIA | Data minimization | Purpose limitation | Privacy policy | Financial incentive notice | Data security | Processor/service provider/contractor contract requirement | Third-party contract requirement |
|---|---|---|---|---|---|---|---|---|
| California | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Virginia | ✓ | ✓ | ✓ | ✓ | ✖ | ✓ | ✓ | ✖ |
| Colorado | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✖ |
| Connecticut | ✓ | ✓ | ✓ | ✓ | ✖ | ✓ | ✓ | ✖ |
| Utah | ✖ | ✓ | ✓ | ✓ | ✖ | ✓ | ✓ | ✖ |
| Texas | ✓ | ✓ | ✓ | ✓ | ✖ | ✓ | ✓ | ✖ |
| Florida | ✓ | ✓ | ✓ | ✓ | ✖ | ✓ | ✓ | ✖ |
| Oregon | ✓ | ✓ | ✓ | ✓ | ✖ | ✓ | ✓ | ✖ |
| Montana | ✓ | ✓ | ✓ | ✓ | ✖ | ✓ | ✓ | ✖ |
| Nebraska | ✓ | ✓ | ✓ | ✓ | ✖ | ✓ | ✓ | ✖ |
| Iowa | ✖ | ✓ | ✓ | ✓ | ✖ | ✓ | ✓ | ✖ |
| Delaware | ✓ | ✓ | ✓ | ✓ | ✖ | ✓ | ✓ | ✖ |
| New Hampshire | ✓ | ✓ | ✓ | ✓ | ✖ | ✓ | ✓ | ✖ |
| New Jersey | ✓ | ✓ | ✓ | ✓ | ✖4 | ✓ | ✓ | ✖ |
| Tennessee | ✓ | ✓ | ✓ | ✓ | ✖ | ✓ | ✓ | ✖ |
| Minnesota | ✓ | ✓ | ✓ | ✓ | ✖ | ✓ | ✓ | ✖ |
| Maryland | ✓ | ✓3 | ✓ | ✓ | ✖ | ✓ | ✓ | ✖ |
| Indiana | ✓ | ✓ | ✓ | ✓ | ✖ | ✓ | ✓ | ✖ |
| Kentucky | ✓ | ✓ | ✓ | ✓ | ✖ | ✓ | ✓ | ✖ |
| Rhode Island | ✓ | ✓ | ✓ | ✓ | ✖ | ✓ | ✓ | ✖ |
Exemptions5
| State | Generally applies to non-profits | Applies to consumers engaged in commercial or employment context (B2B and HR) | Financial institution-related exemptions | HIPAA exemption |
|---|---|---|---|---|
| California | ✖ | ✓ | Data only | Data only |
| Virginia | ✖ | ✖ | Financial institution | Covered Entity and Business Associate |
| Colorado | ✓ | ✖ | Financial institution | Data only |
| Connecticut | ✖ | ✖ | Financial institution | Covered Entity and Business Associate |
| Utah | ✖ | ✖ | Financial institution | Covered Entity and Business Associate |
| Texas | ✖ | ✖ | Financial institution | Covered Entity and Business Associate |
| Florida | ✖ | ✖ | Financial institution | Covered Entity and Business Associate |
| Oregon | ✓ | ✖ | Financial institution | Data only |
| Montana | ✖ | ✖ | Financial institution | Covered Entity and Business Associate |
| Nebraska | ✖ | ✖ | Financial institution | Covered Entity and Business Associate |
| Iowa | ✖ | ✖ | Financial institution | Covered Entity and Business Associate |
| Delaware | ✓ | ✖ | Financial institution | Data only |
| New Hampshire | ✖ | ✖ | Financial institution | Covered Entity and Business Associate |
| New Jersey | ✓ | ✖ | Financial institution | Data only |
| Tennessee | ✖ | ✖ | Financial institution | Covered Entity and Business Associate |
| Minnesota | ✓2 | ✖ | Financial institution | Data only |
| Maryland | ✓3 | ✖ | Financial institution | Data only |
| Indiana | ✖ | ✖ | Financial institution | Covered Entity and Business Associate |
| Kentucky | ✖ | ✖ | Financial institution | Covered Entity and Business Associate |
| Rhode Island | ✖ | ✖ | Financial institution | Covered Entity and Business Associate |
The Legislation
| State | Enactment | Effective Date | Additional Regulations | Link |
|---|---|---|---|---|
| California | California Privacy Rights Act | January 1, 2023 | Yes: View the regulations | View the law |
| Virginia | Virginia’s Consumer Data Protection Act | January 1, 2023 | No | View the law |
| Colorado | Colorado Privacy Act | July 1, 2023 | Yes: View the rules | View the law |
| Connecticut | Connecticut Data Privacy Act | July 1, 2023 | No | View the law |
| Utah | Utah Consumer Privacy Act | December 31, 2023 | No | View the law |
| Texas | Texas Data Privacy and Security Act | July 1, 2024 | No | View the law |
| Florida | Florida Digital Bill of Rights | July 1, 2024 | Yes: View the regulations | View the law |
| Oregon | Oregon Consumer Privacy Act | July 1, 2024 | No | View the law |
| Montana | Montana Consumer Data Privacy Act | October 1, 2024 | No | View the law |
| Nebraska | Nebraska Data Privacy Act | January 1, 2025 | No (Additional guidance to be posted on AG website) | View the law |
| Iowa | Iowa Consumer Data Protection Act | January 1, 2025 | No | View the law |
| Delaware | Delaware Personal Data Privacy Act | January 1, 2025 | No | View the law |
| New Hampshire | Expectation of Privacy Act | January 1, 2025 | No | View the law |
| New Jersey | New Jersey Data Privacy Act | January 15, 2025 | Yes | View the law |
| Tennessee | Tennessee Information Protection Act | July 1, 2025 | No | View the law |
| Minnesota | Minnesota Consumer Data Privacy Act | July 31, 2025 | No | View the law |
| Maryland | Maryland Online Data Privacy Act | October 1, 2025 | No | View the law |
| Indiana | Indiana Consumer Data Protection Act | January 1, 2026 | No | View the law |
| Kentucky | Kentucky Consumer Data Protection Act | January 1, 2026 | No | View the law |
| Rhode Island | Rhode Island Data Transparency and Privacy Protection Act | January 1, 2026 | No | View the law |
Current as of October 1, 2025.
1 The Florida Digital Bill of Rights is arguably a comprehensive privacy law, but it applies under narrow circumstances (e.g., among other things, companies that have over $1 billion in global gross annual revenues).
2 The Minnesota Consumer Data Privacy Act extends the right to opt-out of profiling by affording consumers the right to access and question the results of a controller's profiling. Also, Minnesota's law only exempts non-profit organizations established to detect and prevent fraudulent acts in connection with insurance. Other non-profits may fall within the scope of the law, but further guidance is necessary.
3 The Maryland Online Data Privacy Act has a number of idiosyncrasies. For one, Maryland's law prohibits a controller from selling sensitive data. Maryland's law affords consumers the right to obtain a list of the categories of third parties to which the controller has disclosed the consumer's personal data or to which the controller has disclosed any consumer's personal data. Also, there is a "strictly necessary" data minimization requirement for processing sensitive data. Regarding the non-profit exemption, Maryland's law only exempts non-profit controllers that process personal data solely for the purposes of assisting (i) law enforcement investigating criminal or fraudulent insurance acts, or (ii) first responders for catastrophic events. Other non-profits may fall within scope of the law, but further guidance is necessary.
4 For this field, New Jersey was not included in the same company as Colorado and California for financial incentive notices because New Jersey does not require the extensive level of detail that we see for such notices under the privacy laws of Colorado and California. However, New Jersey does require providing "clear and conspicuous" notice.
5 These reflect some of the common exemptions under these laws, but there are others available under the comprehensive privacy laws. Companies should consult with counsel to learn more.