Loading…
The California Consumer Privacy Act (CCPA) took effect in January 2020 and was strengthened by the California Privacy Rights Act (CPRA) in 2023, which also created the dedicated California Privacy Protection Agency (CPPA).
Since then, 18+ US states have enacted comprehensive privacy laws — each with its own thresholds, definitions, and enforcement timelines. We map a single control framework across all of them so you don't run 18 separate programmes.
For-profit businesses doing business in California meeting any one of these thresholds are in scope:
Annual gross revenue in the previous calendar year
California consumers, households, or devices personal info processed
Annual revenue derived from selling or sharing personal information
Inform consumers of categories collected and purposes of use at or before the point of collection.
Use personal information only for disclosed purposes — no secondary uses without further notice.
Publish a privacy policy with annual disclosures of categories sold, shared, and disclosed.
Implement and maintain reasonable security to protect personal information — a private right of action exists for breaches.
Process opt-out of sale or sharing within 15 business days; honor Global Privacy Control signals.
Limit use and disclosure of sensitive personal information (SSN, geolocation, biometrics, health, immigration status…).
| State | Law | Effective | Regulator |
|---|---|---|---|
| California | CCPA / CPRA | Jan 2020 / Jan 2023 | CPPA + AG |
| Virginia | VCDPA | Jan 2023 | Attorney General |
| Colorado | CPA | Jul 2023 | Attorney General |
| Connecticut | CTDPA | Jul 2023 | Attorney General |
| Utah | UCPA | Dec 2023 | Attorney General |
| Texas | TDPSA | Jul 2024 | Attorney General |
| Oregon | OCPA | Jul 2024 | Attorney General |
| Montana | MTCDPA | Oct 2024 | Attorney General |
| Delaware | DPDPA | Jan 2025 | Department of Justice |
| Iowa | ICDPA | Jan 2025 | Attorney General |
| New Hampshire | NHPA | Jan 2025 | Attorney General |
| New Jersey | NJDPA | Jan 2025 | Attorney General |
At-collection, opt-out, financial incentive, and contact-method-appropriate notices in plain language.
Identity verification, request intake, fulfilment within 45-day statutory window, and CPRA records.
Server-side and client-side GPC signal honoring across web and mobile properties.
CPRA-compliant service provider, contractor, and third-party agreements with required restrictions.
Audit, classify, and surface opt-out controls for cookies, SDKs, pixels, and server-to-server tracking.
Single control framework mapped across CCPA, VCDPA, CPA, CTDPA, UCPA, TDPSA, OCPA, MCDPA and 10+ state laws.
A single mapped control framework with one DSAR pipeline, one cookie consent platform, and one set of contracts — instead of 18 disjointed programmes.