In force since July 1, 2024, the Oregon Consumer Privacy Act (OCPA) is one of the broadest state privacy laws in what it reaches. Beyond the usual rights to access, correct, delete, and opt out, Oregon lets residents request the specific companies that received their data, extends to the information generated by a person's car, and bans the sale of precise location data outright.
The Montana Consumer Data Privacy Act (MTCDPA) took effect on October 1, 2024, and its lower coverage thresholds mean it protects Montanans' data across a wider range of companies than most state laws reach. It lets Montanans access, correct, delete, and opt out of the sale and targeted-advertising uses of their data, and a 2025 amendment added strong new protections for the data of minors.
Colorado was among the first states to let people opt out of online tracking with a single browser signal rather than site by site, a requirement built into the Colorado Privacy Act (CPA) that has been in effect since July 1, 2023. The law gives Coloradans the same core rights to access, correct, delete, and opt out, and it empowers the Attorney General to write detailed rules carrying it out.
Passed in 2023, the Indiana Consumer Data Protection Act (INCDPA) carried one of the longest lead times of any state privacy law and did not take effect until January 1, 2026. Modeled on Virginia's law, it gives Indiana residents the right to access, correct, delete, and obtain a copy of their personal data and to opt out of targeted advertising, the sale of their data, and profiling.
The Utah Consumer Privacy Act (UCPA), in effect since December 31, 2023, is the most limited of the state privacy laws and reaches only larger companies, those taking in at least 25 million dollars a year. It gives Utahns no right to correct inaccurate data, and, like Iowa, it lets businesses handle sensitive information as long as they provide a chance to opt out rather than asking permission first.
We've tracked data breach notifications since 2005, and the Data Breach Chronology has become one of the primary datasets researchers use to study patterns in data privacy. We’re excited to release a major update today that adds 30 new fields, six new state data sources, and capabilities we’ve wanted to build for a long time.
The Connecticut Data Privacy Act (CTDPA) has been in force since July 1, 2023 and sits among the stronger state privacy laws. Alongside the core rights to access, correct, delete, and opt out, Connecticut returned in 2023 to widen the law with added protections for health data and for the personal information of children and teens.
In effect since January 1, 2025, the Iowa Consumer Data Protection Act (ICDPA) lets Iowans see, delete, and obtain a copy of the data companies hold and opt out of its sale. It is narrower than most state laws, though: Iowa grants no right to correct inaccurate data, and where most states make a company get a person's consent before handling sensitive information, it asks only that the company offer a chance to opt out.