The Utah Consumer Privacy Act (UCPA), in effect since December 31, 2023, is the most limited of the state privacy laws and reaches only larger companies, those taking in at least 25 million dollars a year. It gives Utahns no right to correct inaccurate data, and, like Iowa, it lets businesses handle sensitive information as long as they provide a chance to opt out rather than asking permission first.

The Connecticut Data Privacy Act (CTDPA) has been in force since July 1, 2023 and sits among the stronger state privacy laws. Alongside the core rights to access, correct, delete, and opt out, Connecticut returned in 2023 to widen the law with added protections for health data and for the personal information of children and teens.

In effect since January 1, 2025, the Iowa Consumer Data Protection Act (ICDPA) lets Iowans see, delete, and obtain a copy of the data companies hold and opt out of its sale. It is narrower than most state laws, though: Iowa grants no right to correct inaccurate data, and where most states make a company get a person's consent before handling sensitive information, it asks only that the company offer a chance to opt out.

The Virginia Consumer Data Protection Act (VCDPA) took effect on January 1, 2023, making Virginia the second state, after California, to enact a comprehensive privacy law. California set the strongest standard, but many of the states that came after have followed Virginia's more limited model rather than California's. It lets Virginians access, correct, delete, and obtain a copy of their data and opt out of targeted advertising, data sales, and certain profiling.