US State Privacy Laws — DSAR Requirements by State

The United States has no single federal privacy law. Instead, individual states have passed their own comprehensive privacy laws — 19 and counting. Each creates data subject access request obligations with different deadlines, consumer rights, and penalties.

If your business processes personal data of US residents, you may need to comply with multiple state laws simultaneously. This page gives you the quick-reference comparison. Click any state for the full DSAR requirements breakdown.

Disclaimer: This content is for informational purposes only and does not constitute legal advice. Consult a qualified attorney for guidance specific to your business.

DSAR Response Deadlines and Penalties

Jurisdiction	Law	Response Deadline	Extension	Max Penalty	Cure Period
California	CCPA/CPRA	45 days	+45 days	$7,500/violation	None
Virginia	VCDPA	45 days	+45 days	$7,500/violation	30 days
Colorado	CPA	45 days	+45 days	$20,000/violation	Expired
Connecticut	CTDPA	45 days	+45 days	$5,000/violation	Expired
Utah	UCPA	45 days	+45 days	$7,500/violation	30 days (permanent)
Oregon	OCPA	45 days	+45 days	$7,500/violation	Expired
Texas	TDPSA	45 days	+45 days	$7,500/violation	Expired
Montana	MTCDPA	45 days	+45 days	$7,500/violation	60 days (exp. Apr 2026)
Delaware	DPDPA	45 days	+45 days	$10,000/violation	Expired
Iowa	ICDPA	90 days	None	$7,500/violation	90 days (permanent)
Nebraska	NDPA	30 days	+30 days	$7,500/violation	30 days (permanent)
New Hampshire	NHPA	45 days	+45 days	$10,000/violation	Expired
New Jersey	NJDPA	45 days	+45 days	$10K/$20K per violation	30 days (exp. Jul 2026)
Tennessee	TIPA	45 days	+45 days	$7,500/violation	60 days (exp. Jul 2027)
Minnesota	MCDPA	45 days	+45 days	$7,500/violation	30 days (exp. Jul 2026)
Maryland	MODPA	45 days	+15 days only	$10K/$25K per violation	60 days (exp. Apr 2027)
Indiana	INCDPA	45 days	+45 days	$7,500/violation	30 days (exp. Jan 2028)
Kentucky	KCDPA	45 days	+45 days	$7,500/violation	30 days
Rhode Island	RIDTPPA	45 days	+45 days	$10,000/violation	30 days (exp. Jan 2027)

For comparison with international privacy laws, see our GDPR guide (30-day deadline, EUR 20M or 4% revenue penalty) and UK GDPR guide (30-day deadline, GBP 17.5M or 4% revenue penalty).

Key Patterns

Response deadlines: Most US states give you 45 days. Iowa is the most generous at 90 days. Nebraska is the tightest US state at 30 days.

Extensions: Most states allow a 45-day extension. Maryland only allows 15 days. Iowa allows no extension at all.

Cure periods: Many states had cure periods that have now expired. Utah, Iowa, and Nebraska have permanent cure periods. California has no cure period.

Private right of action: Only California (for data breaches) allows individuals to sue directly. All other US state laws are enforced only by the Attorney General.

Consumer Rights by State

Not every state grants the same DSAR rights. Most grant access, deletion, and portability. Correction and profiling opt-out vary.

Right	Most US States	Iowa/Utah
Access	Yes	Yes
Correction	Yes	No
Deletion	Yes	Yes
Portability	Yes	Yes
Opt out of sale	Yes	Yes
Opt out of targeted advertising	Yes	Yes
Opt out of profiling	Yes	No
Appeal denied requests	Yes	No

Identity Verification

Every state requires identity verification before fulfilling a DSAR, but none prescribe a specific method. See our DSAR identity verification guide for practical approaches.

Related Guides

How to Respond to a DSAR — response process
DSAR Response Deadlines — deadline details
DSAR Exemptions — when you can refuse
CCPA DSARs: The Four Request Types — CCPA overview
CCPA vs GDPR Right to Delete — comparison