

A Blog About FTC regulations and happenings

Ready, Set, Go: More States Adopt Privacy Laws
If you blinked over the past couple of months, you may have missed it: the number of U.S. states that have adopted privacy laws has more than doubled. We are now up to 11 states (not including Nevada, which has a narrow privacy law on the books) with privacy frameworks. Fortunately, there seems to be quite a bit of cross over, at least when it comes to thresholds that companies must meet in order to trigger compliance requirements. We provide below a chart that summarizes those thresholds, including whether non-profits are exempted from compliance (a fairly common question we are asked).
We also encourage you to review periodically the IAPPs useful tracker on state-by-state developments.
State | Bill Title/Effective Date | Thresholds | Application to Non-Profits | |
1 | California | California Consumer Privacy Act / Effective Jan. 1, 2020
California Privacy Rights Act / Effective Jan. 1, 2023 |
NOTE: California has several privacy laws, including their “Shine the Light” law, which applies if you have more than 20 employees.
|
Does NOT apply to nonprofit organizations. |
2 | Colorado |
Colorado Privacy Act / Effective July 1, 2023 |
|
DOES apply to nonprofit organizations. |
3 | Connecticut |
Connecticut Data Privacy Act / Effective July 1, 2023 |
If you conduct business in Connecticut or produce products or services that are targeted to residents of the state, and that control or process the personal data of a particular number of residents, namely either:
|
Does NOT apply to nonprofit organizations. |
4 | Indiana |
Indiana Consumer Data Protection Act / Effective Jan. 1, 2026 |
If you conduct business in Indiana or produce products or services targeted to residents of Indiana and that during a calendar year you:
|
Does NOT apply to nonprofit organizations. |
5 | Iowa |
Iowa Consumer Data Protection Act / Effective Jan. 1, 2025 |
If you conduct business in Iowa or produce products or services targeted to residents of Iowa and that during a calendar year you:
|
Does NOT apply to nonprofit organizations. |
6 | Montana |
Montana Consumer Data Privacy Act / Effective Oct. 1, 2024 |
If you conduct business in Montana or produce products or services targeted to residents of Montana and that during a calendar year you:
|
Does NOT apply to nonprofit organizations. |
7 | Oregon |
Oregon Consumer Privacy Act / Effective July 1, 2024 |
If you conduct business in Oregon or provide products or services to residents of Oregon and that during a calendar year you control or process:
|
Only exempts certain nonprofit organizations (see below); WILL apply to most nonprofit organizations after July 1, 2025
Exemption applies ONLY to:
|
8 | Tennessee | Tennessee Information Protection Act / Effective July 1, 2025 | If you conduct business in Tennessee or produce products or services targeted to residents of Tennessee and that during a calendar year you:
|
Does NOT apply to nonprofit organizations. |
9 | Texas |
Texas Data Privacy and Security Act / Effective July 1, 2024 |
|
Does NOT apply to nonprofit organizations. |
10 | Utah | Utah Consumer Privacy Act / Effective Dec. 31, 2023 |
|
Does NOT apply to nonprofit corporations. |
11 | Virginia |
Virginia Consumer Data Protection Act / Effective Jan. 1, 2023 |
|
Does NOT apply to nonprofit organizations. |
IFRAH Law