←State PenaltiesPrivacy Regulatory Penalties — All 50 States
Privacy Regulatory Penalties — All 50 States
State privacy laws: CCPA-style consumer rights, breach notification, biometric data regulations, and enforcement notes.
Color-coded by maximum imprisonment severity
Risk tier:HighMediumLow
| State | Tier | Law | Civil Fine | Criminal Fine | Imprisonment | Notes |
|---|---|---|---|---|---|---|
| Alabama | Low | Data Breach Notification Act | $7,500 | $500,000 cap/breach | N/A | AG exclusive; $5K/day breach notice failure |
| Alaska | High | APIPA / SB 134 | $25,000 | $2,000 | 1 year | Govt employee disclosure = misdemeanor |
| Arizona | Low | A.R.S. § 18-552 | $10,000/individual | N/A | N/A | $500K cap per breach |
| Arkansas | Low | PIPA / Deceptive Trade Practices | $10,000 | N/A | N/A | AG enforcement under DTPA |
| California | Medium | CMIA / CCPA / AB 2013 | $25,000 (willful) | $250,000 | 1 year | Private right of action; $1K nominal damages |
| Colorado | Medium | CPA | $20,000 | N/A | N/A | $500K aggregate cap; AG exclusive |
| Connecticut | Low | CTDPA | $5,000 (willful) | N/A | N/A | Per-consumer violations can be massive |
| Delaware | Low | DPDPA | $10,000 (willful) | N/A | N/A | No cure period as of Jan 2026 |
| Florida | Medium | FLDBR | $50,000 | N/A | N/A | Trebled to $150K for children |
| Georgia | High | SB 473 (eff. July 2026) | $7,500 | $50,000 (computer) | 15 years (felony) | 60-day cure period |
| Hawaii | Medium | SB 3017 / SB 1163 | $10,000/day | N/A | N/A | Treble damages for consumers |
| Idaho | Medium | ID Code § 28-51-105 | $25,000/breach | $2,000 | 1 year | Govt employee disclosure = misdemeanor |
| Illinois | Low | BIPA | $5,000 (intentional) | N/A | N/A | One recovery per person per biometric type |
| Indiana | High | ICDPA (eff. Jan 2026) | $7,500 | $5,000 (privacy invasion) | 2.5 years (Level 6 Felony) | 30-day cure; no private right of action |
| Iowa | Low | ICDPA | $7,500 | N/A | N/A | 90-day mandatory cure; AG exclusive |
| Kansas | Low | KCPA | $10,000 | N/A | N/A | $20K for willful court order violations |
| Kentucky | Low | KCDPA | $7,500 | N/A | N/A | 30-day cure period |
| Louisiana | High | Data Breach Notification | $5,000/day | $250,000 | 10 years | Criminal for wrongful health info disclosure |
| Maine | Medium | LD 1088 | $10 million (initial) | N/A | N/A | $30M for subsequent; 30-day cure |
| Maryland | Medium | MODPA / MCPA | $25,000 (repeat) | $1,000 | 1 year | 60-day cure until April 2027 |
| Massachusetts | High | MDPA (eff. July 2026) | $5,000 | $250,000 (health data) | 10 years | 60-day cure July 2026–Dec 2027 |
| Michigan | High | HIPAA/State | $50,000/violation | $250,000 | 10 years | Federal HIPAA tiers apply |
| Minnesota | Low | MCDPA | $7,500 | N/A | N/A | AG exclusive; no private right of action |
| Mississippi | Low | HB 1051 | $7,500 | N/A | N/A | $100–$750 per consumer for breaches |
| Missouri | High | HIPAA (federal) | $50,000 | $250,000 | 10 years | Federal HIPAA enforcement |
| Montana | High | MTCDPA | $7,500 | $10,000 | 5 years | Cure period sunsets April 2026 |
| Nebraska | Medium | NDPA / LB 504 | $50,000 (minors) | N/A | N/A | $7,500 general; 30-day cure |
| Nevada | Low | NRS 603A | $5,000 | N/A | N/A | AG sole enforcement; no private right |
| New Hampshire | Medium | NHPA / SB 255 | $10,000 | $100,000 (entity felony) | Felony possible | Cure discretionary as of Jan 2026 |
| New Jersey | Medium | NJDPA | $20,000 (subsequent) | N/A | N/A | 30-day cure until July 2026 |
| New Mexico | High | CHISPA / SB 53 | $1,000 (health data) | N/A | 18 months (2nd offense) | Opt-in standard for data collection |
| New York | Medium | SHIELD Act | $20,000 (notification) | N/A | N/A | $5K/violation security failures |
| North Carolina | Medium | NC Personal Data Privacy Act | $2,500 | Misdemeanor | 60 days (Class 2) | $50K cap for breach notification |
| North Dakota | High | HB 1127 | $100,000 | $10,000 (financial) | 5 years (Class C Felony) | $5K/offense breach notice |
| Ohio | High | ORC 1349.19 | $10,000/day (after 90 days) | N/A | 5 years (tampering) | Tiered daily fines for breach notice |
| Oklahoma | Medium | SB 626 (2026) | $150,000/breach | N/A | N/A | Affirmative defense for safeguards |
| Oregon | Medium | OCPA | $7,500 | Class C felony possible | Felony possible | No cure period as of Jan 2026 |
| Pennsylvania | Low | BPINA / UTPCPL | $5,000 (injunction) | N/A | N/A | $3K/violation for senior victims |
| Rhode Island | Low | RIDTPPA | $10,000 | N/A | N/A | No cure period; no private right of action |
| South Carolina | Low | HB 3431 (Social Media) | Treble damages | N/A | N/A | Personal liability for officers |
| South Dakota | Medium | SB 49 (Genetic) / DTPA | $10,000/day | N/A | N/A | $5K/violation genetic data |
| Tennessee | Low | TIPA | $7,500 ($22,500 willful) | N/A | N/A | 60-day cure; NIST safe harbor |
| Texas | Low | TDPSA | $7,500 | N/A | N/A | 30-day cure; AG exclusive |
| Utah | Low | UCPA | AG enforcement | N/A | N/A | Right to correct eff. July 2026 |
| Vermont | Low | VDPA | $10,000 ($25K filings) | N/A | N/A | Private right of action 2026–2028 |
| Virginia | Low | VCDPA | $7,500 ($2.5M cap continuing) | N/A | N/A | 30-day cure; no private right of action |
| Washington | High | MHMDA / CPA | $7,500 (AG) / $25K treble | $250,000 (HIPAA) | 10 years (HIPAA) | Private right of action under MHMDA |
| West Virginia | High | HB 4868 (proposed 2026) | $10,000/violation | $10,000 | 10 years (felony) | AG exclusive enforcement |
| Wisconsin | High | AB-172 (proposed) | $10,000/infraction | $100,000 (for profit) | 3.5 years | Pending legislation for 2027 |
| Wyoming | High | SF0065 / HIPAA | $250,000 (malicious) | $250,000 | 10 years | Govt data restrictions eff. July 2026 |