CCPA and Other State Privacy Laws: Multi-State Compliance
California's CCPA was the first comprehensive state privacy law in the United States, but other states have followed. Understanding the relationship between CCPA and other state laws helps organizations build efficient, multi-state compliance programs.
Quick Answer: Since CCPA, 15+ states have enacted comprehensive privacy laws with similar consumer rights but varying thresholds and requirements. A CCPA-compliant program provides a strong foundation for multi-state compliance, but state-specific adjustments are needed.
States with Comprehensive Privacy Laws
Enacted Laws (as of 2025)
State
Law
Effective Date
California
CCPA/CPRA
Jan 2020 / Jan 2023
Virginia
VCDPA
Jan 2023
Colorado
CPA
July 2023
Connecticut
CTDPA
July 2023
Utah
UCPA
Dec 2023
Iowa
ICDPA
Jan 2025
Indiana
IDPA
Jan 2026
Tennessee
TIPA
July 2025
Montana
MCDPA
Oct 2024
Texas
TDPSA
July 2024
Oregon
OCPA
July 2024
Delaware
DPDPA
Jan 2025
New Jersey
NJDPA
Jan 2025
New Hampshire
NHDPA
Jan 2025
Maryland
MODPA
Oct 2025
Applicability Thresholds Comparison
State
Revenue
Data Volume
Data Revenue
California
$26.625M
100,000 consumers
50%+ from data sales
Virginia
None
100,000 consumers OR 50% revenue + 25,000 consumers
N/A
Colorado
None
100,000 consumers OR 25,000 consumers + revenue
N/A
Connecticut
None
100,000 consumers OR 25,000 consumers + revenue
N/A
Utah
$25M
100,000 consumers
50%+ from data sales
Texas
None
Conducts business in Texas and processes/sells PI
N/A
Oregon
None
100,000 consumers OR 25,000 consumers + 25% revenue
N/A
Consumer Rights Comparison
Right
CCPA
VA
CO
CT
UT
TX
Access/Know
Yes
Yes
Yes
Yes
Yes
Yes
Delete
Yes
Yes
Yes
Yes
Yes
Yes
Correct
Yes
Yes
Yes
Yes
No
Yes
Portability
Yes
Yes
Yes
Yes
Yes
Yes
Opt-out (sale)
Yes
Yes
Yes
Yes
Yes
Yes
Opt-out (targeted ads)
Yes*
Yes
Yes
Yes
Yes
Yes
Opt-out (profiling)
Limited
Yes
Yes
Yes
Yes
Yes
Appeal
No
Yes
Yes
Yes
No
Yes
*CCPA covers "sharing" for cross-context behavioral advertising
Key Differences from CCPA
Consent Models
State
Approach
California
Opt-out for sale/sharing; opt-in for minors
Virginia
Opt-out; opt-in for sensitive data processing
Colorado
Opt-out; opt-in for sensitive data processing
Connecticut
Opt-out; opt-in for sensitive data processing
Utah
Opt-out only
Texas
Opt-out for sale/targeted ads/profiling
Sensitive Data Treatment
State
Approach
California
Consumer can limit use; collection permitted
Virginia
Opt-in consent required for processing
Colorado
Opt-in consent required for processing
Connecticut
Opt-in consent required for processing
Utah
No special category; opt-out model
Texas
Opt-in consent required for processing
Private Right of Action
State
Private Lawsuit Allowed?
California
Yes (data breaches only)
Virginia
No
Colorado
No
Connecticut
No
Utah
No
Texas
No
CCPA is unique in allowing consumers to sue directly for data breaches.
Cure Periods
State
Cure Period
Notes
California
30 days
For regulatory violations
Virginia
30 days
Sunset January 2025 (no longer available)
Colorado
60 days
Sunset January 2025 (no longer available)
Connecticut
60 days
Sunset January 2025 (no longer available)
Utah
30 days
Ongoing
Texas
30 days
Ongoing
Enforcement
State
Enforcer
Maximum Penalty
California
AG + CPPA
$7,988 per violation
Virginia
AG
$7,500 per violation
Colorado
AG
$20,000 per violation
Connecticut
AG
$5,000 per violation
Utah
AG
$7,500 per violation
Texas
AG
$7,500 per violation
Data Processing Contracts
Common Requirements
All state laws require written contracts with processors including:
Requirement
Universal?
Purpose specification
Yes
Confidentiality
Yes
Subcontractor requirements
Yes
Audit rights
Most states
Deletion at termination
Yes
Demonstration of compliance
Most states
CCPA-Specific Terms
Requirement
CCPA
Other States
Sale/sharing prohibition
Yes
Varies (sale focus)
Combination restriction
Yes
Less common
Certification
Yes
Some states
Building Multi-State Compliance
Unified Approach
Element
Recommendation
Privacy policy
Cover all applicable state requirements
Consumer rights
Build process to handle all state rights
Contracts
Include provisions satisfying all states
Opt-out
Universal opt-out mechanism
State-Specific Requirements
State
Specific Consideration
California
"Do Not Sell or Share" link; GPC; SPI limitation link
Virginia
Appeal process required
Colorado
Universal opt-out mechanism recognition
Connecticut
Appeal process required
Utah
Simpler requirements; less sensitive data treatment
Implementing GPC compliance satisfies multiple state requirements.
Common Questions
Do I need separate privacy policies for each state?
No. A single comprehensive privacy policy can address all state requirements. Include state-specific sections or disclosures as needed.
If I comply with CCPA, am I compliant with other states?
CCPA compliance provides a strong foundation but is not sufficient alone. Key gaps:
Sensitive data opt-in (Virginia, Colorado, Connecticut, Texas)
Appeal rights (Virginia, Colorado, Connecticut)
State-specific disclosures
Universal opt-out requirements
Which states should I prioritize?
Consider:
California (largest population, private right of action)
Texas (large population, recent law)
States where you have significant customers
States with active enforcement
Will there be a federal privacy law?
Federal privacy legislation has been proposed but not enacted. State laws remain the primary privacy framework in the US. A federal law could preempt some state requirements, but until then, multi-state compliance is necessary.
