Data Rights Management Laws At-a-Glance

These laws establish the primary consumer data rights obligations across U.S. jurisdictions. While requirements vary, most organizations operationalize compliance through a unified data rights management framework.
Data Rights Management – At-a-Glance Law Table.
Law
Jurisdiction
Key Rights Covered
Applicability Trigger
Why It Matters Operationally
CCPA / CPRA
California
Access, deletion, correction, portability, opt-out (sale/sharing), limit sensitive data
Revenue ≥ $25M OR data thresholds
Establishes the baseline U.S. data rights model; requires full lifecycle request handling, opt-out signals, and detailed documentation
CPA
Colorado
Access, deletion, correction, portability, opt-out (targeted ads, sale, profiling)
≥100K consumers or 25K + revenue from sale
Requires universal opt-out mechanisms and structured workflows across systems
CTDPA
Connecticut
Access, deletion, correction, portability, opt-out
≥100K consumers or 25K + sale
Strong enforcement focus; requires consistent request handling and vendor coordination
VCDPA
Virginia
Access, deletion, correction, portability, opt-out
≥100K consumers or 25K + revenue from sale
Introduced structured controller obligations for request fulfillment and documentation
UCPA
Utah
Access, deletion, opt-out (sale, targeted ads)
≥$25M revenue + data thresholds
Narrower rights, but still requires intake, tracking, and fulfillment processes
FDBR
Florida
Access, deletion, correction, portability, opt-out
Large companies (≥$1B revenue + criteria)
Applies to large platforms; adds regional enforcement exposure and consumer rights obligations
TDPSA
Texas
Access, deletion, correction, portability, opt-out
Broad applicability (no revenue threshold)
Expands scope to more businesses; increases need for scalable request workflows
OCPA
Oregon
Access, deletion, correction, portability, opt-out
≥100K consumers or 25K + sale
Includes nonprofit applicability; increases coverage and enforcement expectations
MCDPA
Minnesota
Access, deletion, correction, portability, opt-out
≥100K consumers or 25K + sale
Adds additional enforcement and compliance expectations; requires structured lifecycle management
DPDPA
Delaware
Access, deletion, correction, portability, opt-out
≥35K consumers (lower threshold)
Lower thresholds increase applicability; requires readiness for smaller-scale operations
NJDPA
New Jersey
Access, deletion, correction, portability, opt-out
≥100K consumers or 25K + sale
Expands East Coast enforcement footprint; requires consistent execution across systems
MCDPA
Montana
Access, deletion, correction, portability, opt-out
≥50K consumers or 25K + sale
Mid-sized threshold law requiring operational workflows and documentation
TIPA
Tennessee
Access, deletion, correction, portability, opt-out
≥175K consumers or 25K + sale
Includes safe harbor for written programs; emphasizes documented compliance
INCDPA
Indiana
Access, deletion, correction, portability, opt-out
≥100K consumers or 25K + sale
Requires consistent request handling and verification practices
ICDPA
Iowa
Access, deletion, opt-out
≥100K consumers or 25K + sale
More limited rights but still requires fulfillment and documentation processes

 

CLIClaw Tip: Most organizations do not build separate workflows for each law. Instead, they implement a unified data rights management system designed to satisfy overlapping requirements across jurisdictions, with adjustments for state-specific nuances such as opt-out signals, response timelines, and verification standards.