|
|
California
|
Access, deletion, correction, portability, opt-out (sale/sharing), limit sensitive data
|
Revenue ≥ $25M OR data thresholds
|
Establishes the baseline U.S. data rights model; requires full lifecycle request handling, opt-out signals, and detailed documentation
|
|
|
Colorado
|
Access, deletion, correction, portability, opt-out (targeted ads, sale, profiling)
|
≥100K consumers or 25K + revenue from sale
|
Requires universal opt-out mechanisms and structured workflows across systems
|
|
|
Connecticut
|
Access, deletion, correction, portability, opt-out
|
≥100K consumers or 25K + sale
|
Strong enforcement focus; requires consistent request handling and vendor coordination
|
|
|
Virginia
|
Access, deletion, correction, portability, opt-out
|
≥100K consumers or 25K + revenue from sale
|
Introduced structured controller obligations for request fulfillment and documentation
|
|
|
Utah
|
Access, deletion, opt-out (sale, targeted ads)
|
≥$25M revenue + data thresholds
|
Narrower rights, but still requires intake, tracking, and fulfillment processes
|
|
|
Florida
|
Access, deletion, correction, portability, opt-out
|
Large companies (≥$1B revenue + criteria)
|
Applies to large platforms; adds regional enforcement exposure and consumer rights obligations
|
|
|
Texas
|
Access, deletion, correction, portability, opt-out
|
Broad applicability (no revenue threshold)
|
Expands scope to more businesses; increases need for scalable request workflows
|
|
|
Oregon
|
Access, deletion, correction, portability, opt-out
|
≥100K consumers or 25K + sale
|
Includes nonprofit applicability; increases coverage and enforcement expectations
|
|
|
Minnesota
|
Access, deletion, correction, portability, opt-out
|
≥100K consumers or 25K + sale
|
Adds additional enforcement and compliance expectations; requires structured lifecycle management
|
|
|
Delaware
|
Access, deletion, correction, portability, opt-out
|
≥35K consumers (lower threshold)
|
Lower thresholds increase applicability; requires readiness for smaller-scale operations
|
|
|
New Jersey
|
Access, deletion, correction, portability, opt-out
|
≥100K consumers or 25K + sale
|
Expands East Coast enforcement footprint; requires consistent execution across systems
|
|
|
Montana
|
Access, deletion, correction, portability, opt-out
|
≥50K consumers or 25K + sale
|
Mid-sized threshold law requiring operational workflows and documentation
|
|
|
Tennessee
|
Access, deletion, correction, portability, opt-out
|
≥175K consumers or 25K + sale
|
Includes safe harbor for written programs; emphasizes documented compliance
|
|
|
Indiana
|
Access, deletion, correction, portability, opt-out
|
≥100K consumers or 25K + sale
|
Requires consistent request handling and verification practices
|
|
|
Iowa
|
Access, deletion, opt-out
|
≥100K consumers or 25K + sale
|
More limited rights but still requires fulfillment and documentation processes
|