PrivacyLawMap

Privacy Law Deadlines & Timeline

Track every important US state privacy law date in one place. From effective dates and enforcement starts to cure period sunsets and registration deadlines.

6 upcoming deadlines · 41 total events tracked

Never Miss a Deadline

Get email reminders 30 and 7 days before critical privacy law deadlines.

New LawAmendmentRegistrationEnforcementCure Period Sunset

2023

AmendmentCAJan 1, 2023

CPRA Amendments Take Effect

The California Privacy Rights Act (CPRA) amendments to the CCPA became operative, expanding consumer rights and creating the California Privacy Protection Agency (CPPA).

Past
New LawVAJan 1, 2023

VCDPA Effective Date

The Virginia Consumer Data Protection Act (VCDPA) became effective, making Virginia the second state with a comprehensive privacy law.

Past
EnforcementCAJul 1, 2023

CPRA Enforcement Begins

The California Privacy Protection Agency (CPPA) began enforcing the CPRA amendments. Enforcement is retroactive to January 1, 2023.

Past
New LawCTJul 1, 2023

CTDPA Effective Date

The Connecticut Data Privacy Act (CTDPA) became effective, introducing comprehensive data privacy rights for Connecticut residents.

Past
New LawCOJul 1, 2023

CPA Effective Date

The Colorado Privacy Act (CPA) became effective, requiring businesses to honor universal opt-out mechanisms by July 1, 2024.

Past
New LawUTDec 31, 2023

UCPA Effective Date

The Utah Consumer Privacy Act (UCPA) became effective. Notable for its more business-friendly approach with no private right of action.

Past

2024

RegistrationCAJan 31, 2024

California Data Broker Registration Deadline

Annual registration deadline for data brokers with the California Privacy Protection Agency under the Delete Act (SB-362).

Past
EnforcementCOJul 1, 2024

Colorado Universal Opt-Out Mechanism Required

Colorado began requiring businesses to honor universal opt-out mechanisms, including Global Privacy Control (GPC).

Past
New LawTXJul 1, 2024

TDPSA Effective Date

The Texas Data Privacy and Security Act (TDPSA) became effective. Applies to businesses operating in Texas with no revenue or data processing threshold.

Past
New LawORJul 1, 2024

OCDPA Effective Date

The Oregon Consumer Data Privacy Act (OCDPA) became effective, with a 30-day cure period that sunsets on January 1, 2026.

Past
New LawFLJul 1, 2024

Florida Digital Bill of Rights Effective Date

The Florida Digital Bill of Rights (FDBR) became effective, with a high applicability threshold of $1 billion in global revenue.

Past
New LawMTOct 1, 2024

MTCDPA Effective Date

The Montana Consumer Data Privacy Act (MTCDPA) became effective, applying to businesses that process data of 50,000+ Montana consumers.

Past

2025

New LawDEJan 1, 2025

Delaware DPDPA Effective Date

The Delaware Personal Data Privacy Act (DPDPA) became effective. Notable for including nonprofit organizations in its scope.

Past
New LawIAJan 1, 2025

Iowa ICDPA Effective Date

The Iowa Consumer Data Protection Act (ICDPA) became effective. More business-friendly with permanent 90-day cure period.

Past
New LawNHJan 1, 2025

New Hampshire NHDPA Effective Date

The New Hampshire Data Privacy Act became effective, closely modeled after the Connecticut CTDPA.

Past
Cure Period SunsetCTJan 1, 2025

Connecticut CTDPA Cure Period Sunsets

The 60-day cure period under the Connecticut Data Privacy Act (CTDPA) sunsets, removing the automatic opportunity to cure violations before enforcement.

Past
Cure Period SunsetVAJan 1, 2025

Virginia VCDPA Cure Period Sunsets

The 30-day cure period under the Virginia Consumer Data Protection Act sunsets, giving the AG discretion on whether to allow cure.

Past
EnforcementCTJan 1, 2025

Connecticut Universal Opt-Out Mechanism Required

Connecticut begins requiring businesses to honor universal opt-out mechanisms such as Global Privacy Control (GPC).

Past
New LawNJJan 15, 2025

New Jersey NJDPA Effective Date

The New Jersey Data Privacy Act (NJDPA) became effective, with broad applicability and protections for sensitive data including financial data.

Past
RegistrationCAJan 31, 2025

California Data Broker Registration Deadline (2025)

Annual data broker registration deadline with the CPPA. Failure to register may result in penalties of $200 per day.

Past
Cure Period SunsetTXJul 1, 2025

Texas TDPSA Cure Period Consideration

The Texas Attorney General will begin considering cure period requests as a factor, rather than granting automatic cure periods.

Past
New LawTNJul 1, 2025

Tennessee TIPA Effective Date

The Tennessee Information Protection Act (TIPA) becomes effective, with an affirmative defense for businesses following NIST privacy framework.

Past
New LawMDAug 28, 2025

Maryland MODPA Effective Date

The Maryland Online Data Privacy Act (MODPA) becomes effective. One of the strongest state privacy laws with data minimization requirements.

Past
New LawNESep 1, 2025

Nebraska NDPA Effective Date

The Nebraska Data Privacy Act becomes effective, applying broadly to businesses operating in Nebraska without revenue thresholds.

Past
AmendmentORSep 26, 2025

Oregon HB 3875 Amendments Effective

Oregon HB 3875 amendments to the Oregon Consumer Data Privacy Act take effect, removing threshold requirements for motor vehicle manufacturers, prohibiting the sale of personal data of consumers known to be under 16, and prohibiting the sale of precise geolocation data within a 1,750-foot radius.

Past
New LawMNOct 1, 2025

Minnesota MCDPA Effective Date

The Minnesota Consumer Data Privacy Act (MCDPA) becomes effective, notable for including a private right of action.

Past
AmendmentMTOct 1, 2025

Montana SB 297 Amendments Effective

Montana SB 297 amends the Montana Consumer Data Privacy Act with new thresholds (25,000 consumers or 15,000 if 25%+ revenue from data sales), adds a duty of care for minors, removes the right to cure, and broadens enforcement powers for the Attorney General.

Past

2026

EnforcementCAJan 1, 2026

California Delete Act Deletion Mechanism

The CPPA must establish a one-stop deletion mechanism allowing consumers to request all data brokers delete their personal information.

Past
Cure Period SunsetORJan 1, 2026

Oregon OCDPA Cure Period Sunsets

The 30-day cure period under the Oregon Consumer Data Privacy Act sunsets on January 1, 2026.

Past
New LawINJan 1, 2026

Indiana ICDPA Effective Date

The Indiana Consumer Data Protection Act becomes effective, closely modeled after Virginia's VCDPA.

Past
New LawKYJan 1, 2026

Kentucky KCDPA Effective Date

The Kentucky Consumer Data Privacy Act becomes effective, providing standard consumer rights including access, deletion, and opt-out of sale.

Past
New LawRIJan 1, 2026

Rhode Island RIDPPA Effective Date

The Rhode Island Data Privacy and Protection Act becomes effective, establishing comprehensive privacy protections for Rhode Island consumers.

Past
New LawTXJan 1, 2026

Texas Responsible AI Governance Act (TRAIGA) Effective

The Texas Responsible AI Governance Act (HB 149) takes effect, imposing obligations on AI developers and deployers, amending the TDPSA to require processors to protect personal data processed by AI systems, and requiring government entities to disclose AI interactions.

Past
New LawNEJan 1, 2026

Nebraska Age-Appropriate Design Code (LB 504) Effective

Nebraska's Age-Appropriate Online Design Code Act (LB 504) takes effect, requiring covered online services to implement privacy-by-design for users under 18, prohibiting dark patterns, and mandating parental control tools enabled by default for children under 13.

Past
EnforcementCAJan 31, 2026

California Delete Act (DROP) Fines Begin

The California Delete Act's Data Request Online Portal (DROP) begins imposing compounding daily fines of $200 per unfulfilled deletion request for registered data brokers who fail to comply with consumer deletion requests.

Past
New LawWIJul 1, 2026

Wisconsin WDPA Effective Date (Projected)

The Wisconsin Data Privacy Act is projected to become effective, adding Wisconsin to the growing list of states with comprehensive privacy legislation.

AmendmentCTJul 1, 2026

Connecticut SB 1295 Major Amendments Effective

Connecticut SB 1295 overhauls the CTDPA: lowers the base applicability threshold from 100,000 to 35,000 consumers; removes processing thresholds for sensitive data and data sales; eliminates the entity-level GLBA exemption for financial institutions; requires disclosure of personal data use for LLM training; adds consumer right to contest profiling results; expands sensitive data definition to include neural data and transgender/nonbinary status; and strengthens minor protections with a ban on targeted advertising and data sale for minors.

EnforcementNEJul 1, 2026

Nebraska LB 504 Enforcement Begins

The Nebraska Attorney General begins enforcement of the Age-Appropriate Online Design Code Act (LB 504). Violations constitute deceptive trade practices with penalties up to $50,000 per violation.

EnforcementCAAug 1, 2026

California DROP Deletion Processing Begins

Registered data brokers must begin processing consumer deletion requests through the California Delete Act's DELETE Request and Opt-out Platform (DROP). Brokers must access the DROP at least every 45 days. Failure to process requests incurs fines of $200 per deletion request per day of non-compliance.

2027

New LawOKJan 1, 2027

Oklahoma OCDPA Effective Date

The Oklahoma Computer Data Privacy Act (OCDPA/SB 546), signed by Governor Kevin Stitt on March 20, 2026, becomes effective. Oklahoma is the 21st state with a comprehensive consumer data privacy law.

2028

EnforcementCAApr 1, 2028

California Privacy Risk Assessments Due

Initial privacy risk assessments are due under new California privacy regulations requiring mandatory risk assessments for processing activities that present a significant risk to consumer privacy.

Disclaimer: PrivacyLawMap provides general information about US state privacy laws for educational purposes only. This is NOT legal advice. Privacy laws are complex and frequently amended. Consult with a qualified privacy attorney for advice specific to your business. PrivacyLawMap makes no warranties about the accuracy or completeness of this information.