US State Privacy Laws: A Complete Guide to Every Active Data Privacy Law

When someone submits a data subject access request, your response deadline and obligations depend on where they live. Nineteen US states now have comprehensive privacy laws with DSAR requirements, plus the EU's GDPR and the UK GDPR. Each has different deadlines, consumer rights, and penalties for non-compliance.

This page gives you the quick-reference view. Click any jurisdiction for the full DSAR requirements breakdown.

Disclaimer: This article is for informational purposes only and does not constitute legal advice. Consult a qualified attorney for guidance specific to your business.

DSAR Response Deadlines and Penalties

Jurisdiction	Law	Response Deadline	Extension	Max Penalty	Cure Period
California	CCPA/CPRA	45 days	+45 days	$7,500/violation	None
Virginia	VCDPA	45 days	+45 days	$7,500/violation	30 days
Colorado	CPA	45 days	+45 days	$20,000/violation	Expired
Connecticut	CTDPA	45 days	+45 days	$5,000/violation	Expired
Utah	UCPA	45 days	+45 days	$7,500/violation	30 days (permanent)
Oregon	OCPA	45 days	+45 days	$7,500/violation	Expired
Texas	TDPSA	45 days	+45 days	$7,500/violation	Expired
Montana	MTCDPA	45 days	+45 days	$7,500/violation	60 days (exp. Apr 2026)
Delaware	DPDPA	45 days	+45 days	$10,000/violation	Expired
Iowa	ICDPA	90 days	None	$7,500/violation	90 days (permanent)
Nebraska	NDPA	30 days	+30 days	$7,500/violation	30 days (permanent)
New Hampshire	NHPA	45 days	+45 days	$10,000/violation	Expired
New Jersey	NJDPA	45 days	+45 days	$10K/$20K per violation	30 days (exp. Jul 2026)
Tennessee	TIPA	45 days	+45 days	$7,500/violation	60 days (exp. Jul 2027)
Minnesota	MCDPA	45 days	+45 days	$7,500/violation	30 days (exp. Jul 2026)
Maryland	MODPA	45 days	+15 days only	$10K/$25K per violation	60 days (exp. Apr 2027)
Indiana	INCDPA	45 days	+45 days	$7,500/violation	30 days (exp. Jan 2028)
Kentucky	KCDPA	45 days	+45 days	$7,500/violation	30 days
Rhode Island	RIDTPPA	45 days	+45 days	$10,000/violation	30 days (exp. Jan 2027)
GDPR (EU)	GDPR	30 days	+2 months	EUR 20M or 4% revenue	None
UK GDPR	UK GDPR	30 days	+2 months	GBP 17.5M or 4% revenue	None

Key Patterns

Response deadlines: Most US states give you 45 days. Iowa is the most generous at 90 days. Nebraska is the tightest US state at 30 days. GDPR and UK GDPR are 30 days.

Extensions: Most states allow a 45-day extension. Maryland only allows 15 days. Iowa allows no extension at all. GDPR allows 2 months.

Cure periods: Many states had cure periods that have now expired. Utah, Iowa, and Nebraska have permanent cure periods. GDPR and California have no cure period.

Private right of action: Only California (for data breaches) and GDPR/UK GDPR allow individuals to sue directly. All other US state laws are enforced only by the Attorney General.

Consumer Rights by Jurisdiction

Not every state grants the same DSAR rights. Most grant access, deletion, and portability. Correction and profiling opt-out vary.

Right	Most US States	Iowa/Utah	GDPR/UK GDPR
Access	Yes	Yes	Yes
Correction	Yes	No	Yes
Deletion	Yes	Yes	Yes
Portability	Yes	Yes	Yes
Opt out of sale	Yes	Yes	Yes
Opt out of targeted advertising	Yes	Yes	N/A (consent model)
Opt out of profiling	Yes	No	Yes
Appeal denied requests	Yes	No	Via DPA complaint

Identity Verification

Every jurisdiction requires identity verification before fulfilling a DSAR, but none prescribe a specific method. See our DSAR identity verification guide for practical approaches.

For full privacy law coverage of each jurisdiction, see boringgovernance.com.

Related Guides

How to Respond to a DSAR — response process
DSAR Response Deadlines — deadline details
DSAR Exemptions — when you can refuse
DSAR Software Comparison — tool comparison