The Utah Consumer Privacy Act (UCPA), in effect since December 31, 2023, is the most limited of the state privacy laws and reaches only larger companies, those taking in at least 25 million dollars a year. It gives Utahns no right to correct inaccurate data, and, like Iowa, it lets businesses handle sensitive information as long as they provide a chance to opt out rather than asking permission first.

We've tracked data breach notifications since 2005, and the Data Breach Chronology has become one of the primary datasets researchers use to study patterns in data privacy. We’re excited to release a major update today that adds 30 new fields, six new state data sources, and capabilities we’ve wanted to build for a long time.

The Connecticut Data Privacy Act (CTDPA) has been in force since July 1, 2023 and sits among the stronger state privacy laws. Alongside the core rights to access, correct, delete, and opt out, Connecticut returned in 2023 to widen the law with added protections for health data and for the personal information of children and teens.

In effect since January 1, 2025, the Iowa Consumer Data Protection Act (ICDPA) lets Iowans see, delete, and obtain a copy of the data companies hold and opt out of its sale. It is narrower than most state laws, though: Iowa grants no right to correct inaccurate data, and where most states make a company get a person's consent before handling sensitive information, it asks only that the company offer a chance to opt out.