US State Privacy Laws — DSAR Requirements by State
Compare DSAR response deadlines, consumer rights, identity verification, and penalties across all 19 US state privacy laws.
Last updated: 2026-03-01
The United States has no single federal privacy law. Instead, individual states have passed their own comprehensive privacy laws — 19 and counting. Each creates data subject access request obligations with different deadlines, consumer rights, and penalties.
If your business processes personal data of US residents, you may need to comply with multiple state laws simultaneously. This page gives you the quick-reference comparison. Click any state for the full DSAR requirements breakdown.
Disclaimer: This content is for informational purposes only and does not constitute legal advice. Consult a qualified attorney for guidance specific to your business.
DSAR Response Deadlines and Penalties
| Jurisdiction | Law | Response Deadline | Extension | Max Penalty | Cure Period |
|---|---|---|---|---|---|
| California | CCPA/CPRA | 45 days | +45 days | $7,500/violation | None |
| Virginia | VCDPA | 45 days | +45 days | $7,500/violation | 30 days |
| Colorado | CPA | 45 days | +45 days | $20,000/violation | Expired |
| Connecticut | CTDPA | 45 days | +45 days | $5,000/violation | Expired |
| Utah | UCPA | 45 days | +45 days | $7,500/violation | 30 days (permanent) |
| Oregon | OCPA | 45 days | +45 days | $7,500/violation | Expired |
| Texas | TDPSA | 45 days | +45 days | $7,500/violation | Expired |
| Montana | MTCDPA | 45 days | +45 days | $7,500/violation | 60 days (exp. Apr 2026) |
| Delaware | DPDPA | 45 days | +45 days | $10,000/violation | Expired |
| Iowa | ICDPA | 90 days | None | $7,500/violation | 90 days (permanent) |
| Nebraska | NDPA | 30 days | +30 days | $7,500/violation | 30 days (permanent) |
| New Hampshire | NHPA | 45 days | +45 days | $10,000/violation | Expired |
| New Jersey | NJDPA | 45 days | +45 days | $10K/$20K per violation | 30 days (exp. Jul 2026) |
| Tennessee | TIPA | 45 days | +45 days | $7,500/violation | 60 days (exp. Jul 2027) |
| Minnesota | MCDPA | 45 days | +45 days | $7,500/violation | 30 days (exp. Jul 2026) |
| Maryland | MODPA | 45 days | +15 days only | $10K/$25K per violation | 60 days (exp. Apr 2027) |
| Indiana | INCDPA | 45 days | +45 days | $7,500/violation | 30 days (exp. Jan 2028) |
| Kentucky | KCDPA | 45 days | +45 days | $7,500/violation | 30 days |
| Rhode Island | RIDTPPA | 45 days | +45 days | $10,000/violation | 30 days (exp. Jan 2027) |
For comparison with international privacy laws, see our GDPR guide (30-day deadline, EUR 20M or 4% revenue penalty) and UK GDPR guide (30-day deadline, GBP 17.5M or 4% revenue penalty).
Key Patterns
Response deadlines: Most US states give you 45 days. Iowa is the most generous at 90 days. Nebraska is the tightest US state at 30 days.
Extensions: Most states allow a 45-day extension. Maryland only allows 15 days. Iowa allows no extension at all.
Cure periods: Many states had cure periods that have now expired. Utah, Iowa, and Nebraska have permanent cure periods. California has no cure period.
Private right of action: Only California (for data breaches) allows individuals to sue directly. All other US state laws are enforced only by the Attorney General.
Consumer Rights by State
Not every state grants the same DSAR rights. Most grant access, deletion, and portability. Correction and profiling opt-out vary.
| Right | Most US States | Iowa/Utah |
|---|---|---|
| Access | Yes | Yes |
| Correction | Yes | No |
| Deletion | Yes | Yes |
| Portability | Yes | Yes |
| Opt out of sale | Yes | Yes |
| Opt out of targeted advertising | Yes | Yes |
| Opt out of profiling | Yes | No |
| Appeal denied requests | Yes | No |
Identity Verification
Every state requires identity verification before fulfilling a DSAR, but none prescribe a specific method. See our DSAR identity verification guide for practical approaches.
Related Guides
- How to Respond to a DSAR — response process
- DSAR Response Deadlines — deadline details
- DSAR Exemptions — when you can refuse
- CCPA DSARs: The Four Request Types — CCPA overview
- CCPA vs GDPR Right to Delete — comparison