Other US state comprehensive privacy laws (umbrella)

Umbrella framework for the 12+ US state comprehensive privacy laws following the Virginia template with minor divergences and that, individually, do not carry sufficient distinctive content to warrant separate framework treatment. Active VA-template states under this umbrella as of May 2026: IA, IN, TN (permanent cure), DE, NE, NH, NJ (18-month cure sunset), MN, MT, RI (35K threshold — second-lowest), KY. Forthcoming: OK (signed 20 Mar 2026, eff. 1 Jan 2027); AL (signed 17 Apr 2026, eff. 1 May 2027). Common features: five rights with 45-day SLA, sensitive-data opt-in, DPA, AG-only enforcement. Divergences: thresholds, cure-period duration, UOOM-honour requirement (CT, DE, MN, MT, NJ, NH, OR require — others do not). APRA (HR 8818) expired with 118th Congress 3 Jan 2025 and not reintroduced in 119th Congress as of May 2026; no federal preemption in prospect.

Composition

13 controls currently indexed; participates in 5 cross-framework synthesis clusters.

Participates in synthesis

Each cluster listed below combines this framework's controls with operationally equivalent controls from other frameworks, resolving the overlap into a single audit-defensible specification.

• Children's privacy across US states — heightened protections
• Cross-jurisdiction consumer / Data Principal rights — operational fabric
• Processor / service provider contract requirements across jurisdictions
• Sensitive personal information — heightened protection across jurisdictions
• Universal Opt-Out Mechanism (UOOM) / Global Privacy Control honour across US states