Privacy Policy Requirements by State: A Complete Guide

Privacy law in the United States is a patchwork of state-specific regulations. While there's no comprehensive federal privacy law (yet), several states have enacted their own requirements. Here's what you need to know about privacy policy requirements across the country.

Overview of State Privacy Laws

As of 2026, these states have comprehensive consumer privacy laws:

• California - CCPA/CPRA (most comprehensive)
• Virginia - VCDPA
• Colorado - CPA
• Connecticut - CTDPA
• Utah - UCPA
• Texas - TDPSA
• Oregon - OCPA
• Montana - MTCDPA
• Delaware - DPDPA
• Iowa - ICDPA
• Tennessee - TIPA
• Indiana - INCDPA

More states are expected to pass similar laws. Let's break down the key requirements.

California (CCPA/CPRA)

California has the strictest and most comprehensive state privacy law. The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), applies if you:

• Have $25 million+ in annual revenue, OR
• Handle data of 100,000+ California consumers, OR
• Derive 50%+ revenue from selling/sharing personal information

Privacy Policy Requirements

• Categories of personal information collected (past 12 months)
• Sources of personal information
• Business/commercial purposes for collection
• Categories of third parties you share with
• Categories sold/shared (or state "we don't sell")
• Retention periods for each category
• Consumer rights and how to exercise them

Website Requirements

• "Do Not Sell or Share My Personal Information" link
• "Limit the Use of My Sensitive Personal Information" link (if applicable)
• Two methods to submit requests (phone + web form)

Need a CCPA-compliant policy? Use our CCPA Privacy Policy Generator.

Virginia (VCDPA)

Virginia's Consumer Data Protection Act applies to businesses that:

• Control/process data of 100,000+ Virginia consumers, OR
• Control/process data of 25,000+ consumers AND derive 50%+ revenue from selling data

Privacy Policy Requirements

• Categories of personal data processed
• Purposes for processing
• How consumers can exercise rights
• Categories of data shared with third parties
• Categories of third parties
• Clear disclosure if you sell data or use it for targeted advertising

Consumer Rights

• Right to know/access
• Right to correct
• Right to delete
• Right to data portability
• Right to opt out of sale/targeted advertising/profiling

Colorado (CPA)

Colorado Privacy Act applies to businesses that:

• Process data of 100,000+ Colorado consumers, OR
• Process data of 25,000+ consumers AND derive revenue from selling data

Notable Requirements

• Must recognize universal opt-out signals (e.g., Global Privacy Control)
• Requires privacy notice be "reasonably accessible"
• 45-day response deadline for consumer requests
• Must disclose categories of data sold/shared

Connecticut (CTDPA)

Similar thresholds to Colorado:

• Process data of 100,000+ Connecticut consumers (excluding payment-only data), OR
• Process data of 25,000+ consumers AND derive 25%+ revenue from data sales

Unique Features

• Requires recognition of universal opt-out mechanisms
• No cure period for violations (immediate enforcement)
• Extra protections for sensitive data

Texas (TDPSA)

Texas's law is notable for having NO revenue threshold—it applies based on data handling practices alone. Applies if you:

• Conduct business in Texas, AND
• Process personal data, AND
• Are not a "small business" under SBA standards

Key Requirements

• Reasonably accessible privacy notice
• Categories of data collected and purposes
• Consumer rights disclosure
• Must have "sale" opt-out if applicable

Comparing Consumer Rights Across States

Right	CA	VA	CO	CT	TX
Access/Know	✓	✓	✓	✓	✓
Delete	✓	✓	✓	✓	✓
Correct	✓	✓	✓	✓	✓
Portability	✓	✓	✓	✓	✓
Opt-out of sale	✓	✓	✓	✓	✓
Opt-out of targeted ads	✓	✓	✓	✓	✓
Limit sensitive data use	✓	✓	✓	✓	✓
Private right of action	Limited	✗	✗	✗	✗

States Without Comprehensive Laws

Most states don't have comprehensive privacy laws, but that doesn't mean you're off the hook. Nearly all states have:

• Data breach notification laws: Require notifying consumers of security breaches
• Unfair/deceptive practices laws: Your privacy policy becomes binding; false statements can trigger FTC/state AG action
• Industry-specific rules: Healthcare (HIPAA), financial (GLBA), education (FERPA)

Best Practices for Multi-State Compliance

If you serve customers across the US, follow these guidelines:

1. Default to the Strictest Standard

California's CCPA is the most comprehensive. A CCPA-compliant policy will generally meet other states' requirements.

2. Include All Required Disclosures

• Categories of data collected
• Purposes for each category
• Third-party sharing
• Retention periods
• All consumer rights
• How to submit requests

3. Implement Universal Opt-Out Support

Colorado and Connecticut require honoring Global Privacy Control signals. Implementing this makes compliance easier.

4. Update Annually

State laws are evolving rapidly. Review your policy at least yearly to ensure continued compliance.

Create Your Compliant Policy

Our generators create policies that meet the strictest state requirements:

• General Privacy Policy Generator - Great starting point
• CCPA Privacy Policy Generator - Meets California requirements
• GDPR Privacy Policy Generator - For EU visitors