US state privacy laws are comprehensive consumer-data-privacy statutes passed state by state, starting with California in 2020. They exist because the country has no single federal privacy law. As of 2026, 20 states have one in effect, each giving residents data rights and requiring covered businesses to honor opt-outs.
Below: the full 2026 state map, who these laws actually cover, what they require, and how they differ from the GDPR.
What Are US State Privacy Laws?
US state privacy laws are comprehensive consumer-data-privacy statutes passed one state at a time since California's CCPA took effect in 2020. Each grants residents rights over their personal data. Each also imposes duties on businesses that meet the state's coverage thresholds, filling the gap left by the absence of a single federal privacy law. They are the US corner of the wider privacy-law landscape that governs how businesses handle personal information.
This page covers the comprehensive consumer-privacy laws only, the ones with a broad scope across industries. It sets aside a separate group of sector-specific state laws.
Illinois's Biometric Information Privacy Act (BIPA) regulates fingerprints and face scans. Washington's My Health My Data Act covers health information outside HIPAA. All 50 states separately require data breach notification. Those laws matter, but they answer a narrower question: does your state have a comprehensive privacy law.
Why Does the US Have State Laws Instead of One Federal Privacy Law?
Congress has not passed a comprehensive federal privacy law, so states have filled the gap one statute at a time, creating a patchwork. Each state law stands on its own, with its own thresholds, rights, and enforcement, and there is no ceiling coordinating them.
The practical consequence is that a single website can fall under several state laws at once, and obligations stack by jurisdiction. A site that serves customers in California, Colorado, and Texas needs to satisfy all three laws simultaneously, not just the strictest one.
Privacy professionals openly describe the resulting compliance landscape as overwhelming, even before accounting for the states still adding new laws each year.
Which States Have Comprehensive Privacy Laws? (2026 Map)
As of 2026, 20 US states have a comprehensive consumer privacy law in effect, and two more have laws enacted but not yet active. The list below covers the states with laws currently in force; each state name links to its own dedicated page for the full breakdown.
| State | Law | In effect since | Notable threshold or feature |
|---|---|---|---|
| California | CCPA / CPRA | January 2020 (CCPA); January 2023 (CPRA) | 100,000+ residents' data, or $25 million+ revenue, or 50%+ revenue from selling data; only state with a limited private right of action |
| Virginia | VCDPA | January 2023 | 100,000+ consumers, or 25,000+ consumers and 50%+ revenue from selling data |
| Colorado | CPA | July 2023 | 100,000+ residents, or 25,000+ residents plus revenue from data sales; requires universal opt-out signals |
| Connecticut | CTDPA | July 2023 | Threshold drops from 100,000 to 35,000 consumers in July 2026 |
| Utah | UCPA | December 2023 | $25 million+ revenue required alongside a consumer-count threshold; no universal opt-out mandate |
| Texas | TDPSA | July 2024 | No consumer-count threshold; applies to any business that is not legally small |
| Oregon | OCPA | July 2024 | 100,000+ residents, or 25,000+ plus 25% revenue share; also covers vehicle-use data |
| Montana | MTCDPA | October 2024 | 25,000+ residents, one of the lower consumer-count entry points |
| Florida | Digital Bill of Rights | July 2024 | Narrowest scope of the group; applies mainly to large, high-revenue businesses |
| Delaware | DPDPA | January 2025 | 35,000+ consumers, or 10,000+ plus 20% revenue from data sales |
| Iowa | ICDPA | January 2025 | 100,000+ consumers, or 25,000+ plus 50% revenue from selling data |
| Nebraska | NDPA | January 2025 | No consumer-count threshold; excludes only federally defined small businesses |
| New Hampshire | NHPA | January 2025 | 35,000+ consumers, or 10,000+ plus 25% revenue from data sales |
| New Jersey | NJDPA | January 2025 | 100,000+ consumers, or 25,000+ consumers plus any revenue from a data sale |
| Tennessee | TIPA | July 2025 | Requires $25 million+ revenue plus a 175,000-consumer threshold, one of the highest bars |
| Minnesota | MCDPA | July 2025 | 100,000+ consumers, or 25,000+ plus 25% revenue from selling data |
| Maryland | MODPA | October 2025 | 35,000+ consumers; among the strictest on data minimization; no private right of action |
| Indiana | ICDPA | January 2026 | 100,000+ residents, or 25,000+ plus 50% revenue from selling data |
| Kentucky | KCDPA | January 2026 | 100,000+ consumers, or 25,000+ plus 50% revenue from selling data |
| Rhode Island | RIDTPPA | January 2026 | 35,000+ consumers, or 10,000+ plus 20% revenue from data sales, one of the lowest bars in the country |
California's CCPA and CPRA form the most comprehensive framework and the only one with even a limited private right of action. Maryland ranks among the strictest on data minimization, while Utah's law is generally viewed as the lightest. The roster keeps changing: Oklahoma's law takes effect in January 2027, and Alabama's follows in May 2027, pushing the enacted total past 20.
Check the IAPP US State Privacy Legislation Tracker for the current count and each bill's status. It is the resource privacy teams use to follow the landscape in real time.
New State Privacy Laws Taking Effect in 2026
Three states join the list on January 1, 2026, and existing states are also tightening their rules mid-year.
- Indiana (ICDPA) takes effect January 1, 2026, largely mirroring Virginia's template.
- Kentucky (KCDPA) takes effect January 1, 2026, also following the Virginia model.
- Rhode Island (RIDTPPA) takes effect January 1, 2026, with the lowest applicability thresholds of the three: 35,000 consumers, or 10,000 consumers if more than 20% of revenue comes from selling personal data.
Connecticut lowers its own threshold from 100,000 to 35,000 consumers starting in July 2026, and Oregon's 30-day right-to-cure grace period expired in January 2026. Rhode Island's low bar shows the broader trend: each new wave of laws tends to widen, not narrow, who has to comply.
What Rights Do US State Privacy Laws Give Consumers?
Most comprehensive state laws grant the same core set of consumer rights, which covered businesses must act on within a set window, usually 45 days.
- Access: know what personal data a business holds about you
- Correction: fix inaccurate personal data
- Deletion: request that a business delete your personal data
- Portability: get a copy of your data in a usable format
- Opt-out: decline targeted advertising, the sale of your personal data, and certain profiling
Sensitive data, such as health, biometric, or precise geolocation information, usually needs affirmative opt-in consent before a business can process it. California is the exception: it lets residents opt out of certain sensitive-data uses rather than requiring opt-in consent upfront.
What Do State Privacy Laws Require Businesses to Do?
Covered businesses share a common set of duties across most state laws.
- Post a clear, accurate privacy notice describing what data is collected and why
- Minimize data collection to what the stated purpose actually needs
- Limit secondary uses of data beyond the original purpose
- Use reasonable security to protect personal data
- Honor consumer rights requests within the state's statutory window
- Get opt-in consent before processing sensitive data
- Recognize universal opt-out signals in the states that require it
- Run data protection assessments for high-risk processing, including targeted advertising, profiling, and selling data
These obligations repeat across nearly every state law with only minor variation. A compliance program built around this common core covers most of the landscape at once.
Do State Privacy Laws Apply to My Business? (Thresholds)
Whether a state privacy law applies to your business turns on that state's applicability thresholds, not on where your business is based. Most states use a consumer-count gate, commonly around 100,000 residents per year, or a lower count paired with a share of revenue from selling data.
Texas and Nebraska drop the consumer-count threshold entirely. Both instead cover any business that operates in the state and is not legally small.
A business serving customers across multiple states can trigger several laws simultaneously. Meeting one state's threshold does not mean you meet, or escape, another state's threshold.
California's CCPA applies at 100,000 residents or $25 million in revenue, while Rhode Island's RIDTPPA applies at just 35,000 residents. Thresholds are trending lower over time, not higher, as Rhode Island's law and Connecticut's 2026 amendment both show.
Many small, single-state sites fall below every threshold and owe no obligation under any comprehensive state law. Before assuming that applies to you, check each state where you have meaningful traffic. Also check whether your business sells or shares personal data, since that condition often lowers the bar considerably.
What Are Universal Opt-Out Mechanisms and the "Do Not Sell" Signal?
A universal opt-out mechanism (UOOM) is a browser- or device-level signal, most commonly Global Privacy Control (GPC). It tells every website at once that a resident opts out of targeted advertising and the sale of their data.
A growing number of state laws, including Colorado, Connecticut, Texas, Oregon, Montana, Delaware, and New Jersey, require covered businesses to detect and honor it. Not every state requires this: Utah's law does not mandate UOOM honoring.
Separately, several laws require a clear "Do Not Sell or Share My Personal Information" link or control placed directly on the website. The two obligations are related but distinct. A UOOM is a signal the visitor's browser sends automatically. The "Do Not Sell" link is a control the visitor clicks manually on your site.
The duty to detect and honor a UOOM falls on the business. It is a separate technical requirement from showing a consent banner or an opt-out link.
How Are US State Privacy Laws Enforced? (Fines and the Attorney General)
In almost every state, the state Attorney General is the sole enforcer. There is no private right of action, meaning individual consumers cannot sue directly. California is the lone exception, with a limited private right of action for certain data breaches.
Civil penalties commonly reach up to $7,500 per violation. Texas and Minnesota both confirm this figure directly. Minnesota's Attorney General states violators face "civil penalties of up to $7,500 per violation," and Texas applies the same cap.
California's enforcement runs on a different, larger scale. The state's Privacy Protection Agency and Attorney General have secured settlements against Healthline Media ($1.55 million), Tractor Supply ($1.35 million), and PlayOn Sports ($1.10 million). All three involved opt-out and notice failures.
Several early "right to cure" grace periods, which gave businesses a window to fix violations before facing penalties, have expired or are sunsetting. Oregon's 30-day cure period ended in January 2026. Enforcement is hardening as these grace periods close, not loosening.
How Do State Privacy Laws Differ from the GDPR?
US state privacy laws and the EU's GDPR share the same broad goal: consumer control over personal data. They diverge sharply on the default model and scope.
| Attribute | US state laws (typical) | EU GDPR |
|---|---|---|
| Consent model | Opt-out: process until a resident opts out | Opt-in: consent required before processing |
| Trigger for coverage | Consumer-count or revenue threshold per state | Any processing of an EU resident's data, regardless of size |
| Enforcement | State Attorney General, mostly | National supervisory authority (DPA) per country |
| Universal opt-out | Required in a growing number of states | Not a defined mechanism under GDPR |
The practical effect: a US business can legally process a resident's data by default, and only has to stop when that resident opts out. Under the EU privacy regulation, the same business needs a valid legal basis, usually consent, before it starts processing at all. US state laws also exclude publicly available information from their scope. GDPR makes no such carve-out.
What US State Privacy Laws Mean for Your Website and Cookies
Across the state laws above, a covered website needs to take the same handful of concrete actions.
- Post a clear privacy notice, meaning your cookie, privacy, and terms policies are accurate and current
- Show US visitors a way to opt out of targeted-advertising cookies and data sales, typically through a consent banner and a "Do Not Sell or Share" link
- Honor recognized universal opt-out signals where the state requires it
- Get affirmative consent before loading anything that processes sensitive data
- Keep records of consent choices as proof if a regulator ever asks
The targeted-advertising opt-out is where cookie consent meets US state law most directly. The same banner that manages cookie categories usually satisfies the "opt out of sale and targeted advertising" requirement across every state that has one.
How Consently Helps You Meet US State Opt-Out and Consent Requirements
Consently helps you operate the consumer-facing side of US state-law compliance. It shows US visitors an opt-out consent banner with a "Do Not Sell or Share My Personal Information" control. It also automatically switches banner behavior by region.
Consently's CCPA / US State Laws opt-out template gives US visitors an opt-out banner with a Do-Not-Sell control. Its automatic geotargeting shows EU visitors the opt-in model GDPR requires instead. The same account handles both, so you do not need separate tools for separate regions.
Two features back up the day-to-day work. Consent logs with export keep an audit trail of who opted out and when, useful if a state Attorney General asks for proof. The cookie, privacy, and terms policy generators produce the clear privacy notice these laws require, without starting from a blank page.
Consently does not detect or honor browser-level universal opt-out signals like Global Privacy Control. If your business falls under a state law that requires honoring UOOM signals, that is a separate technical obligation you need to meet another way.
Consently also does not make a site "compliant" on its own. It supports specific consent and disclosure tasks; legal compliance for your business remains your responsibility. Set up your opt-out banner and Do-Not-Sell control, or try Consently free to see the dashboard first.
FAQs
How many states have data privacy laws in 2026?
About 20 US states have a comprehensive consumer privacy law in effect as of 2026. Two more, Oklahoma and Alabama, have enacted laws that are not yet active. The exact count keeps rising as new laws take effect.
Which US state has the strictest privacy law?
California is the most comprehensive, and the only state with a limited private right of action. Maryland and Colorado rank among the strictest on data minimization and universal opt-out requirements.
Do US state privacy laws apply to small businesses?
Usually only if you meet a state's thresholds, often around 100,000 residents, or a lower count paired with revenue from selling data. Many small, single-state sites fall below these thresholds, but Texas and Nebraska drop the count threshold entirely, so check each state where you operate.
Is there a federal US data privacy law?
No comprehensive federal privacy law exists. The US relies on state laws plus sector-specific federal rules, such as HIPAA for health data and GLBA for financial data.
What rights do most US state privacy laws give consumers?
Access, correction, deletion, and data portability, plus the right to opt out of targeted advertising, the sale of personal data, and certain profiling. Sensitive data usually needs opt-in consent first.
Which new state privacy laws take effect in 2026?
Indiana, Kentucky, and Rhode Island all took effect January 1, 2026, with mid-year changes including Connecticut's lowered consumer threshold in July.
Do US state privacy laws have a private right of action?
Almost none do. California is the one exception, and only for a limited set of data breach claims. Every other state's law is enforced solely by the state Attorney General.
What is a universal opt-out mechanism?
A universal opt-out mechanism (UOOM) is a browser- or device-level signal, most commonly Global Privacy Control. It tells every website at once that a visitor opts out of targeted advertising and data sales. A growing number of states require businesses to honor it.
How do US state privacy laws affect my cookie banner?
Most state laws require a way for US visitors to opt out of targeted-advertising cookies and data sales. Your cookie banner typically handles this through a "Do Not Sell or Share" control alongside standard consent categories.

