GuidesUS State Laws
United States · State laws

US State Privacy Laws (Non-California) Guide

Virginia, Colorado, Connecticut, Utah, Texas and the growing patchwork of US state privacy laws.

Last reviewed: 2026-04-29

The growing patchwork

The United States has no comprehensive federal privacy law. Instead, individual states have been passing their own — Virginia kicked off the post-CCPA wave in 2021, and more than a dozen states have followed. The good news for builders: most of these laws are modelled on each other, and a single well-designed opt-out flow can satisfy most of them at once.

This guide covers the laws other than California (CCPA/CPRA gets its own page). If you're scanning a US site, CookieGap currently grades against CCPA — see the How CookieGap handles US states section below for details on what that captures and what it doesn't.

State-by-state, briefly

Virginia (VCDPA, in force July 2023)

Right to opt out of sale, targeted advertising, and certain profiling. Opt-in required for sensitive data. No private right of action.

Colorado (CPA, in force July 2023)

Similar to Virginia, plus a hard requirement to honour a Universal Opt-Out Mechanism such as GPC. Sensitive data opt-in. AG and DAs enforce.

Connecticut (CTDPA, in force July 2023)

Tracks Colorado closely. Opt-out for sale, targeted ads, profiling; opt-in for sensitive data; universal opt-out signal honored.

Utah (UCPA, in force December 2023)

Most business-friendly of the bunch. Opt-out for sale and targeted advertising; no profiling restriction; sensitive data is opt-out, not opt-in.

Texas (TDPSA, in force July 2024)

Broad applicability — applies to any business processing Texan data, with a small-business carve-out. Sensitive data opt-in. AG enforcement only.

Oregon, Montana, Tennessee, Iowa, Indiana, Delaware (2024–2026)

All follow the Virginia/Colorado template. Specific dates and thresholds differ — check the individual statutes when scoping a compliance program.

What they have in common

  • Right to opt out of sale of personal data and targeted advertising.
  • Right to access, correct, and delete data.
  • Privacy policy must disclose categories of data collected and recipients.
  • Sensitive data (health, geolocation, biometrics, race, etc.) gets stronger protections — opt-in in most states, explicit purpose limitation in others.
  • No private right of action — enforcement is by state attorneys general (and the CPPA in California).

Where they diverge

  • Universal opt-out signals (GPC) — required by California, Colorado, Connecticut, Texas, Oregon, and Montana. Optional in Virginia and Utah. Always honour GPC if you can — covering the strict states is cheap.
  • Sensitive data — opt-in in Virginia, Colorado, Connecticut, Texas; opt-out in Utah and Iowa.
  • Cure period — Virginia, Connecticut, and Utah give businesses 30–60 days to fix a violation before fines. California and Colorado ended their cure periods in 2023 and 2025 respectively.
  • Thresholds — vary widely. Texas applies to essentially any non-small business; Utah only above $25M revenue plus a data threshold.

How CookieGap handles US scans

When you scan from a US IP outside California, CookieGap currently applies the global baseline — GDPR, CCPA, and ePrivacy combined — because that combination already covers the core opt-out pattern every US state law requires:

  • A clear opt-out mechanism on the site.
  • No persistent tracking after the user opts out.
  • A privacy policy disclosing data sharing.

What CookieGap doesn't currently flag are state-specific nuances like Virginia's sensitive-data opt-in, Texas's small-business threshold, or GPC signal handling (required by Colorado, Connecticut, and California). Those are policy questions best handled in a privacy review, not a technical scan. For the cookie-and-tracking surface that CookieGap measures, getting CCPA-equivalent compliance right gets you most of the way to compliance everywhere.

See scope & limitationsfor the full list of what CookieGap does and doesn't test.

What CookieGap measures for CCPA

Derived from the live scanner rubric — updates automatically when the rubric changes.

  • No 'Do Not Sell or Share My Personal Information' link
  • Do Not Sell link present but non-compliant (missing mechanism)
  • Tracking cookies persist after opt-out action
  • No privacy policy found

For the full picture — including what we don't measure — see scope & limitations.

Frequently asked questions

How many US states have a comprehensive privacy law?

More than a dozen as of 2026, with new laws taking effect roughly every quarter. The biggest are California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon, Montana, Tennessee, Iowa, Indiana, and Delaware. The set is moving — always check current effective dates.

Is there a single 'US privacy law' I can comply with to cover all states?

No, but in practice meeting CPRA and Colorado's universal opt-out requirements covers most of what other states require. The main exception is sensitive-data opt-in (Virginia, Colorado, and several others require explicit consent for sensitive categories), so consent flows still need to be aware of state-specific triggers.

Do these state laws apply if my business is in a different state?

Yes, if you target the residents of that state and meet the thresholds. Most of these laws apply at 100,000+ resident records or smaller numbers if a meaningful percentage of revenue comes from selling personal information. Read each law's applicability section carefully — thresholds vary.

Do US state laws require opt-in like GDPR?

No — they all follow the opt-out model. The exception is for 'sensitive personal data' (precise geolocation, health, biometrics, immigration status, etc.), where Virginia, Colorado, and several others require opt-in consent before processing.

Does CookieGap separately score each US state?

Currently CookieGap applies CCPA-equivalent grading to all US scans because the core requirement — a working opt-out, honoured GPC, no persistent tracking after opt-out — is functionally identical across the major state laws. We're tracking enforcement and may add per-state scoring as material differences emerge.

See where your site stands

Run a free CookieGap scan and get a State laws compliance report in under a minute.

Scan your site free

This guide is informational only and does not constitute legal advice. Privacy laws evolve frequently — always confirm current obligations with qualified counsel before making compliance decisions.