US state privacy laws
How Koji aligns with the comprehensive privacy laws that have replaced 'CCPA only' as the US standard. Twenty states have active or imminent privacy regimes; the same Koji DPA and operating practices cover all of them.
How the US patchwork works
Unlike the EU, the United States has no single federal privacy regulation. Privacy law is set at the state level. Twenty states have passed comprehensive consumer privacy laws so far, and more are in progress every legislative session. Most follow a common template (often called the "VCDPA model" after Virginia's law) with state-specific variations around thresholds, consumer rights, controller obligations, and enforcement.
Two states deviate meaningfully from the common template: California (CCPA/CPRA) is broader in scope and enforcement, with its own dedicated privacy agency; Maryland (MODPA) adds stricter data-minimization obligations.
How Koji satisfies all of them with one set of practices
Rather than maintaining twenty separate compliance programs, Koji operates a single privacy program built around the strictest applicable requirements. The same controls that satisfy GDPR (the most demanding baseline) plus the California-specific additions satisfy every comprehensive state law:
- Service-provider / processor contract. Koji's DPA includes the service-provider clauses required by every state law, with California-specific clauses for CCPA / CPRA explicitly called out.
- No sale or sharing of personal information. Koji does not sell or share personal information as defined by any state law. This is contractually committed in the DPA.
- Consumer rights support. Koji's platform and operational processes support every right granted under comprehensive state laws: access, correction, deletion, portability, opt-out of sale/sharing/targeted advertising, opt-out of automated decision-making with significant effects, and limit-the-use of sensitive personal information.
- Universal opt-out signals. The application honors Global Privacy Control (GPC) signals where required (currently California, Colorado, Connecticut, and others following).
- Data-minimization and purpose-limitation baked into product configuration, satisfying Maryland's stricter standard.
State-by-state coverage
The table below shows every comprehensive US state privacy law in force as of the "Last updated" date at the top of this page, with Koji's coverage status for each. "Covered" means the law is in force today and our operating practices already satisfy it. "Covered with config" means the law's effective date is in the future and the operating configuration is in place; we will update the status to "Covered" once the law takes effect.
| State | Law | Abbreviation | Effective | Coverage |
|---|---|---|---|---|
| California | Consumer Privacy Act, as amended by the Privacy Rights Act | CCPA / CPRA | 2020-01-01 / 2023-01-01 | Covered |
| Virginia | Consumer Data Protection Act | VCDPA | 2023-01-01 | Covered |
| Colorado | Privacy Act | CPA | 2023-07-01 | Covered |
| Connecticut | Data Privacy Act | CTDPA | 2023-07-01 | Covered |
| Utah | Consumer Privacy Act | UCPA | 2023-12-31 | Covered |
| Texas | Data Privacy and Security Act | TDPSA | 2024-07-01 | Covered |
| Oregon | Consumer Privacy Act | OCPA | 2024-07-01 | Covered |
| Florida | Digital Bill of Rights | FDBR | 2024-07-01 | Covered |
| Montana | Consumer Data Privacy Act | MTCDPA | 2024-10-01 | Covered |
| Tennessee | Information Protection Act | TIPA | 2025-07-01 | Covered |
| Delaware | Personal Data Privacy Act | DPDPA | 2025-01-01 | Covered |
| Iowa | Consumer Data Protection Act | ICDPA | 2025-01-01 | Covered |
| New Hampshire | Privacy Act | NHPA | 2025-01-01 | Covered |
| New Jersey | Data Privacy Act | NJDPA | 2025-01-15 | Covered |
| Nebraska | Data Privacy Act | NDPA | 2025-01-01 | Covered |
| Maryland | Online Data Privacy Act | MODPA | 2025-10-01 | Covered |
| Minnesota | Consumer Data Privacy Act | MCDPA | 2025-07-31 | Covered |
| Indiana | Consumer Data Protection Act | INCDPA | 2026-01-01 | Covered with config |
| Kentucky | Consumer Data Protection Act | KYCDPA | 2026-01-01 | Covered with config |
| Rhode Island | Data Transparency and Privacy Protection Act | RIDTPPA | 2026-01-01 | Covered with config |
California: the deepest dive
California's CCPA as amended by the CPRA is the most expansive US state law, with its own dedicated regulator (the California Privacy Protection Agency) and the most aggressive enforcement record. See CCPA / CPRA for the detailed treatment.
Sectoral US laws (still active)
The comprehensive state laws above sit alongside sectoral US federal regimes that have always applied:
- HIPAA — health information. Available as part of the enterprise tier.
- GLBA — financial information held by regulated financial institutions. See sector frameworks for our position.
- FERPA — student educational records. See sector frameworks.
- COPPA — children under 13. Koji is not directed to children under 13 and does not knowingly collect their data.
Consumer rights: how requests are handled
Because Koji acts as a service provider / processor, consumer rights requests are typically directed to our customer (the business that holds the consumer relationship). Where a consumer contacts Koji directly, we forward the request to the responsible business customer without responding to it ourselves, in line with each applicable state law and our DPA.
Consumers can reach Koji at [email protected] if they cannot identify the responsible business.
Emerging laws and the future
Several states have privacy bills moving through their legislatures (Massachusetts, New York, Pennsylvania, Washington, among others). Koji tracks these and updates this page when a new law is signed. New laws typically slot into the existing Koji privacy program without operational change because the baseline already exceeds what they require.
If a federal comprehensive privacy law is enacted, the patchwork consolidates and the matrix above will be replaced with a federal coverage note.
Questions
For state-specific contract questions, email [email protected]. For consumer rights questions, email [email protected].