The Definitive State Privacy Law Comparison Chart for 2025
20+ state privacy laws. Hundreds of overlapping requirements. One clear, side-by-side reference so you never miss a compliance obligation again.
The U.S. state privacy landscape has expanded from one enforceable law in 2020 to 20 comprehensive state privacy statutes as of 2026. Each has different scope thresholds, consumer rights, opt-out mechanisms, cure periods, and enforcement structures. Whether you are a DPO mapping obligations across subsidiaries or a legal team advising on multi-state operations, this comparison chart gives you the clarity you need in minutes, not days.
No credit card. No sales call. Enter your work email below and we will send the chart to your inbox.
20
Comprehensive State Privacy Laws Enacted
IAPP and ArentFox Schiff, as of mid-2025
$1.55M
Largest CCPA Settlement by CA Attorney General
Smith Anderson, July 2025 enforcement action
8
States Amended Their Privacy Laws in 2025
IAPP US State Privacy Laws Report, October 2025
Built for the Reality of Multi-State Privacy Compliance
Twenty states have enacted comprehensive privacy laws since California passed the CCPA in 2018, and nine of them amended their laws in 2025 alone. Keeping up requires more than spreadsheets and browser tabs. These capabilities help privacy teams stay ahead of a landscape that shifts every quarter.
Cross-Entity ROPA Management
When you operate across multiple states, each with distinct scope thresholds and consumer rights, your Records of Processing Activities must reflect every jurisdiction. Priverion automates ROPA recertification across all group entities, so updates cascade as laws change, not weeks later when someone remembers to open the spreadsheet.
AXA achieved a 100% ROPA recertification rate with fully automated workflows.
AXA, Priverion customer proof point
AI-Assisted DPIA and Risk Scoring
States like Colorado and New Jersey now require data protection assessments before high-risk processing can even begin. Maryland's 2025 law adds some of the strictest data minimization standards in the country. Priverion's AI-assisted drafting helps you produce assessment documentation faster, with risk scoring calibrated to each state's specific requirements. AI assists; humans decide. No customer data is used for model training.
Medtec saved 200+ hours in ISO 27001 preparation using Priverion's assessment tools.
Medtec, Priverion customer proof point
Regulatory Change Tracking
In 2025, eight new state privacy laws took effect while nine existing laws received significant amendments. Connecticut tightened minor protections. Colorado added biometric data obligations. California finalized new risk assessment regulations. Priverion's regulatory change tracking keeps your compliance program current as requirements evolve, so you are not relying on outdated law firm blog posts or a spreadsheet your predecessor started and never finished.
Eight state privacy laws became operative in 2025, nearly doubling the number of states with effective laws.
Perkins Coie, Privacy Law Recap 2025 (January 2026)
Incident Management and Breach Workflows
California's CCPA remains one of the only state laws with a private right of action for data breaches. Texas secured a $1.4 billion settlement with Meta over biometric data collection. When a breach happens, response timelines and notification rules differ by state. Priverion's incident management workflows guide your team through jurisdiction-specific breach notification requirements, generating audit-ready evidence packages in minutes rather than weeks.
California's July 2025 CCPA settlement reached $1.55M, the largest to date under that law.
Smith Anderson, Data Privacy in 2026 (January 2026)
Vendor Risk Assessments
Texas filed its first TDPSA lawsuit against Allstate and subsidiary Arity for allegedly embedding tracking software in third-party apps to collect and sell personal data. Your vendor ecosystem is your exposure surface. Priverion's third-party management gives you full visibility into how vendors process data, with assessments mapped to the specific obligations of each state law your organization must comply with.
Zurzach Care achieved 100% vendor risk assessment coverage with Priverion.
Zurzach Care, Priverion customer proof point
Board-Ready Compliance Dashboards
State attorneys general are increasingly coordinating enforcement through a bipartisan Consortium of Privacy Regulators. When your CEO asks "are we compliant everywhere?", you need an answer that is clear, current, and defensible. Priverion's dashboards give CISOs and DPOs real-time visibility across every entity and jurisdiction, turning operational compliance data into board-ready reporting without manual consolidation.
Aircraft manufacturer reduced compliance admin time by 60% in their first 6 months.
Aircraft manufacturer, Priverion customer proof point (first 6 months)
See how Priverion maps compliance obligations across 50+ entities and multiple jurisdictions.
The numbers that make DPOs smile
200+
Hours saved on ISO 27001 preparation
Medtec saved 200+ hours preparing for ISO 27001 certification with Priverion. The typical certification process takes 6 to 12 months; Priverion customers get audit-ready months ahead of schedule.
Medtec, verified customer result
60%
Less compliance admin time
Aircraft manufacturer cut compliance admin time by 60% in their first 6 months. With predictable pricing based on company count, not per-user fees, teams avoid the cost escalation common with enterprise platforms.
Aircraft manufacturer, first 6 months on Priverion
3 mo.
Ahead of schedule on ISO 27001
While ISO 27001 certification typically takes 6 to 12 months, Priverion's audit-ready evidence packages and automated documentation help teams compress timelines significantly.
Medtec, compared to industry-average timelines
Built for the mid-market. Not stripped down from the enterprise.
With GDPR fines now exceeding 7.1 billion euros cumulatively and enforcement expanding well beyond Big Tech, your compliance platform matters more than ever. Here is why growing organizations choose Priverion.
Source: DLA Piper GDPR Fines and Data Breach Survey, January 2026
Priverion
Purpose-built for multi-entity privacy management
-
Swiss data sovereignty, guaranteed
Swiss-built and Swiss-hosted. All data processing stays within Swiss infrastructure, outside the reach of extraterritorial laws like the US CLOUD Act and FISA Section 702. In a regulatory climate where even US hyperscalers admit they cannot guarantee EU data sovereignty, this is not a marketing claim: it is a legal differentiator.
Microsoft France GM testified under oath that US data access cannot be ruled out (French Senate, Summer 2025)
-
Operational in weeks, not months
Clean, intuitive interface designed for DPOs, not enterprise IT teams. No weeks of configuration or dedicated implementation staff. Aircraft manufacturer saw a 60% reduction in compliance admin time within their first 6 months.
Aircraft manufacturer, first 6 months on Priverion
-
Predictable, transparent pricing
Based on number of companies and organizational size. No per-user fees, no per-module expansion traps, no opaque custom quotes. You know what you will pay before you sign.
-
All-in-one privacy platform
ROPA, DPIA/TIA, vendor risk, incident management, DSR handling, data mapping, AI Register, and compliance dashboards in a single platform. No module upsells to unlock what you need.
-
AI-assisted, human-controlled
AI helps draft DPIAs, score risks, and map regulations. All outputs are reviewed by humans before becoming compliance records. No customer data is ever used for model training.
-
Deep, focused integrations
Integrations with HR, procurement, and IT asset management systems that matter for privacy workflows. Fewer connectors, but each one works reliably without ongoing maintenance overhead.
OneTrust
Enterprise-grade with enterprise complexity
-
US-headquartered, US-hosted
Subject to the US CLOUD Act and FISA Section 702. European data residency options exist, but the legal entity remains under US jurisdiction. The EU's Berlin Declaration on Digital Sovereignty, adopted November 2025, underscores why this matters.
Declaration for European Digital Sovereignty, signed by all EU Member States, November 2025
-
Steep learning curve
Users consistently report complex setup processes that require weeks of configuration and dedicated technical resources. Smaller teams find the platform especially challenging to maintain.
Capterra user reviews, 2025/2026
-
Opaque, escalating pricing
No published pricing. Custom quotes that vary by modules, domains, users, and data volumes. OneTrust does not publish list prices. Per aggregated buyer-reported pricing data, mid-market deployments commonly range from the mid-five-figures up to low six-figures annually, with implementation services billed separately. Source: Vendr and Enzuzo aggregated buyer-reported pricing, accessed 2026-05-18.
Enzuzo pricing analysis, March 2026; Vendr procurement data, February 2026
-
Modular, pay-per-capability model
Five separate product lines, each billed on its own metric. Each module you add raises your total cost, and the bill can grow in directions you did not anticipate as your team or data footprint expands.
Sprinto OneTrust Review, March 2026
-
Comprehensive AI features
Strong AI Governance capabilities and regulatory intelligence across 300+ jurisdictions. A powerful feature set, though it adds to the platform's overall complexity and cost.
-
Extensive integration ecosystem
Broad connector library across IT, security, marketing, HR, and cloud platforms. Powerful once fully configured, but maintaining these integrations requires significant ongoing technical oversight.
Enforcement is accelerating. In 2024 alone, European data protection authorities issued approximately 1.2 billion euros in GDPR fines, with breach notifications now averaging 443 per day. The EU AI Act reaches full enforcement for high-risk systems in August 2026, adding another penalty layer. The question is not whether to invest in compliance tooling, but whether yours is right-sized for your organization.
Sources: DLA Piper GDPR Fines Survey, January 2025; EU AI Act enforcement timeline
Honest note: OneTrust is a strong product for large enterprises with dedicated compliance teams and complex GRC needs. Priverion is not a replacement for that. We are built for mid-market and multi-entity organizations that need enterprise-grade privacy management without enterprise complexity or cost. We do not cover ESG, ethics hotlines, or cookie consent.
What's Inside: A Sample from the Full Comparison
The full PDF covers all 20 enacted state privacy laws across 12 comparison categories. Here is a sample of how the chart is structured, covering 6 representative states.
This is a preview of 6 states and 8 categories. The full PDF includes all 20 states and 12 comparison categories.
Sources: enacted statute text, IAPP US State Privacy Legislation Tracker (April 2026), ArentFox Schiff analysis
State Privacy Law Comparison Chart: All 20 Laws, Side by Side
Twenty U.S. states now have comprehensive privacy laws on the books, and the differences between them create real compliance gaps. This free PDF gives you a structured, at-a-glance comparison so you can stop cross-referencing statutes manually.
What you will get:
- + Consumer rights mapped across all 20 enacted state laws: access, correction, deletion, opt-out, and portability
- + Business obligations compared: sensitive data consent, DPIAs, universal opt-out mechanisms, and cure periods (including Rhode Island's no-cure requirement)
- + Applicability thresholds at a glance: from California's revenue-based triggers to Rhode Island's lower 35,000-consumer threshold
- + Key 2026 effective dates and amendment timelines, including Indiana, Kentucky, and Rhode Island plus California's new ADMT and risk assessment regulations
Sources include the IAPP US State Privacy Legislation Tracker (updated April 2026) and enacted statute text for all 20 states.
Download the Free Chart
Enter your work email and we will send the PDF directly to your inbox.
Free PDF. No demo required. We will send it to your inbox.
20
U.S. states with comprehensive privacy laws in effect as of 2026
MultiState, February 2026; IAPP Tracker, April 2026
From Spreadsheet Chaos to Strategic Confidence
These are the outcomes that matter: less time on admin, more time on the work that actually protects your organization.
"We went from spending most of our compliance time chasing business units for ROPA updates across multiple subsidiaries to having fully automated recertification. Our DPO now focuses on strategic privacy work instead of spreadsheet maintenance."
Aircraft manufacturer — 60% reduction in compliance admin time, first 6 months
"Achieving 100% ROPA recertification was something we could not imagine with manual processes. Priverion's automation made it possible across all our entities without adding headcount."
AXA — 100% ROPA recertification rate, fully automated
"The vendor risk assessment coverage gave us visibility we never had before. We can now show our board exactly where we stand with every third party that processes personal data."
Zurzach Care — 100% vendor risk assessment coverage
Common Questions About U.S. State Privacy Laws
How many U.S. states have comprehensive privacy laws as of 2025?
As of mid-2025, 20 U.S. states have enacted comprehensive consumer privacy laws. Eight new laws took effect in 2025 alone (Delaware, Iowa, Nebraska, New Hampshire, New Jersey, Tennessee, Minnesota, and Maryland), nearly doubling the number of states with enforceable privacy statutes. Additional states including Indiana, Kentucky, and Rhode Island have laws taking effect in 2026. Source: IAPP US State Privacy Legislation Tracker; ArentFox Schiff, 2025.
What is the difference between state privacy laws and GDPR?
GDPR is a single regulation covering all EU/EEA member states with a unified set of requirements. U.S. state privacy laws are enacted independently by each state, creating a patchwork of different scope thresholds, consumer rights, enforcement mechanisms, and cure periods. For organizations operating across multiple states, this means mapping obligations law by law rather than following a single framework. GDPR also applies to data processors directly, while most state laws focus on controllers with separate processor obligations.
