US State Privacy Laws: The 2026 Compliance Map

20 US states enforce comprehensive privacy laws in 2026. See which states, what each law requires, and whether the rules apply to your website.


by Riad Us Salehin • 4 July 2026


US state privacy laws are comprehensive consumer-data-privacy statutes passed state by state, starting with California in 2020. They exist because the country has no single federal privacy law. As of 2026, 20 states have one in effect, each giving residents data rights and requiring covered businesses to honor opt-outs.

Below: the full 2026 state map, who these laws actually cover, what they require, and how they differ from the GDPR.

What Are US State Privacy Laws?

US state privacy laws are comprehensive consumer-data-privacy statutes passed one state at a time since California's CCPA took effect in 2020. Each grants residents rights over their personal data. Each also imposes duties on businesses that meet the state's coverage thresholds, filling the gap left by the absence of a single federal privacy law. They are the US corner of the wider privacy-law landscape that governs how businesses handle personal information.

This page covers the comprehensive consumer-privacy laws only, the ones with a broad scope across industries. It sets aside a separate group of sector-specific state laws.

Illinois's Biometric Information Privacy Act (BIPA) regulates fingerprints and face scans. Washington's My Health My Data Act covers health information outside HIPAA. All 50 states separately require data breach notification. Those laws matter, but they answer a narrower question: does your state have a comprehensive privacy law.

Why Does the US Have State Laws Instead of One Federal Privacy Law?

Congress has not passed a comprehensive federal privacy law, so states have filled the gap one statute at a time, creating a patchwork. Each state law stands on its own, with its own thresholds, rights, and enforcement, and there is no ceiling coordinating them.

The practical consequence is that a single website can fall under several state laws at once, and obligations stack by jurisdiction. A site that serves customers in California, Colorado, and Texas needs to satisfy all three laws simultaneously, not just the strictest one.

Privacy professionals openly describe the resulting compliance landscape as overwhelming, even before accounting for the states still adding new laws each year.

Which States Have Comprehensive Privacy Laws? (2026 Map)

As of 2026, 20 US states have a comprehensive consumer privacy law in effect, and two more have laws enacted but not yet active. The list below covers the states with laws currently in force; each state name links to its own dedicated page for the full breakdown.

StateLawIn effect sinceNotable threshold or feature
CaliforniaCCPA / CPRAJanuary 2020 (CCPA); January 2023 (CPRA)100,000+ residents' data, or $25 million+ revenue, or 50%+ revenue from selling data; only state with a limited private right of action
VirginiaVCDPAJanuary 2023100,000+ consumers, or 25,000+ consumers and 50%+ revenue from selling data
ColoradoCPAJuly 2023100,000+ residents, or 25,000+ residents plus revenue from data sales; requires universal opt-out signals
ConnecticutCTDPAJuly 2023Threshold drops from 100,000 to 35,000 consumers in July 2026
UtahUCPADecember 2023$25 million+ revenue required alongside a consumer-count threshold; no universal opt-out mandate
TexasTDPSAJuly 2024No consumer-count threshold; applies to any business that is not legally small
OregonOCPAJuly 2024100,000+ residents, or 25,000+ plus 25% revenue share; also covers vehicle-use data
MontanaMTCDPAOctober 202425,000+ residents, one of the lower consumer-count entry points
FloridaDigital Bill of RightsJuly 2024Narrowest scope of the group; applies mainly to large, high-revenue businesses
DelawareDPDPAJanuary 202535,000+ consumers, or 10,000+ plus 20% revenue from data sales
IowaICDPAJanuary 2025100,000+ consumers, or 25,000+ plus 50% revenue from selling data
NebraskaNDPAJanuary 2025No consumer-count threshold; excludes only federally defined small businesses
New HampshireNHPAJanuary 202535,000+ consumers, or 10,000+ plus 25% revenue from data sales
New JerseyNJDPAJanuary 2025100,000+ consumers, or 25,000+ consumers plus any revenue from a data sale
TennesseeTIPAJuly 2025Requires $25 million+ revenue plus a 175,000-consumer threshold, one of the highest bars
MinnesotaMCDPAJuly 2025100,000+ consumers, or 25,000+ plus 25% revenue from selling data
MarylandMODPAOctober 202535,000+ consumers; among the strictest on data minimization; no private right of action
IndianaICDPAJanuary 2026100,000+ residents, or 25,000+ plus 50% revenue from selling data
KentuckyKCDPAJanuary 2026100,000+ consumers, or 25,000+ plus 50% revenue from selling data
Rhode IslandRIDTPPAJanuary 202635,000+ consumers, or 10,000+ plus 20% revenue from data sales, one of the lowest bars in the country

California's CCPA and CPRA form the most comprehensive framework and the only one with even a limited private right of action. Maryland ranks among the strictest on data minimization, while Utah's law is generally viewed as the lightest. The roster keeps changing: Oklahoma's law takes effect in January 2027, and Alabama's follows in May 2027, pushing the enacted total past 20.

Check the IAPP US State Privacy Legislation Tracker for the current count and each bill's status. It is the resource privacy teams use to follow the landscape in real time.

New State Privacy Laws Taking Effect in 2026

Three states join the list on January 1, 2026, and existing states are also tightening their rules mid-year.

  • Indiana (ICDPA) takes effect January 1, 2026, largely mirroring Virginia's template.
  • Kentucky (KCDPA) takes effect January 1, 2026, also following the Virginia model.
  • Rhode Island (RIDTPPA) takes effect January 1, 2026, with the lowest applicability thresholds of the three: 35,000 consumers, or 10,000 consumers if more than 20% of revenue comes from selling personal data.

Connecticut lowers its own threshold from 100,000 to 35,000 consumers starting in July 2026, and Oregon's 30-day right-to-cure grace period expired in January 2026. Rhode Island's low bar shows the broader trend: each new wave of laws tends to widen, not narrow, who has to comply.

What Rights Do US State Privacy Laws Give Consumers?

Most comprehensive state laws grant the same core set of consumer rights, which covered businesses must act on within a set window, usually 45 days.

  • Access: know what personal data a business holds about you
  • Correction: fix inaccurate personal data
  • Deletion: request that a business delete your personal data
  • Portability: get a copy of your data in a usable format
  • Opt-out: decline targeted advertising, the sale of your personal data, and certain profiling

Sensitive data, such as health, biometric, or precise geolocation information, usually needs affirmative opt-in consent before a business can process it. California is the exception: it lets residents opt out of certain sensitive-data uses rather than requiring opt-in consent upfront.

What Do State Privacy Laws Require Businesses to Do?

Covered businesses share a common set of duties across most state laws.

  • Post a clear, accurate privacy notice describing what data is collected and why
  • Minimize data collection to what the stated purpose actually needs
  • Limit secondary uses of data beyond the original purpose
  • Use reasonable security to protect personal data
  • Honor consumer rights requests within the state's statutory window
  • Get opt-in consent before processing sensitive data
  • Recognize universal opt-out signals in the states that require it
  • Run data protection assessments for high-risk processing, including targeted advertising, profiling, and selling data

These obligations repeat across nearly every state law with only minor variation. A compliance program built around this common core covers most of the landscape at once.

Do State Privacy Laws Apply to My Business? (Thresholds)

Whether a state privacy law applies to your business turns on that state's applicability thresholds, not on where your business is based. Most states use a consumer-count gate, commonly around 100,000 residents per year, or a lower count paired with a share of revenue from selling data.

Texas and Nebraska drop the consumer-count threshold entirely. Both instead cover any business that operates in the state and is not legally small.

A business serving customers across multiple states can trigger several laws simultaneously. Meeting one state's threshold does not mean you meet, or escape, another state's threshold.

California's CCPA applies at 100,000 residents or $25 million in revenue, while Rhode Island's RIDTPPA applies at just 35,000 residents. Thresholds are trending lower over time, not higher, as Rhode Island's law and Connecticut's 2026 amendment both show.

Many small, single-state sites fall below every threshold and owe no obligation under any comprehensive state law. Before assuming that applies to you, check each state where you have meaningful traffic. Also check whether your business sells or shares personal data, since that condition often lowers the bar considerably.

What Are Universal Opt-Out Mechanisms and the "Do Not Sell" Signal?

A universal opt-out mechanism (UOOM) is a browser- or device-level signal, most commonly Global Privacy Control (GPC). It tells every website at once that a resident opts out of targeted advertising and the sale of their data.

A growing number of state laws, including Colorado, Connecticut, Texas, Oregon, Montana, Delaware, and New Jersey, require covered businesses to detect and honor it. Not every state requires this: Utah's law does not mandate UOOM honoring.

Separately, several laws require a clear "Do Not Sell or Share My Personal Information" link or control placed directly on the website. The two obligations are related but distinct. A UOOM is a signal the visitor's browser sends automatically. The "Do Not Sell" link is a control the visitor clicks manually on your site.

The duty to detect and honor a UOOM falls on the business. It is a separate technical requirement from showing a consent banner or an opt-out link.

How Are US State Privacy Laws Enforced? (Fines and the Attorney General)

In almost every state, the state Attorney General is the sole enforcer. There is no private right of action, meaning individual consumers cannot sue directly. California is the lone exception, with a limited private right of action for certain data breaches.

Civil penalties commonly reach up to $7,500 per violation. Texas and Minnesota both confirm this figure directly. Minnesota's Attorney General states violators face "civil penalties of up to $7,500 per violation," and Texas applies the same cap.

California's enforcement runs on a different, larger scale. The state's Privacy Protection Agency and Attorney General have secured settlements against Healthline Media ($1.55 million), Tractor Supply ($1.35 million), and PlayOn Sports ($1.10 million). All three involved opt-out and notice failures.

Several early "right to cure" grace periods, which gave businesses a window to fix violations before facing penalties, have expired or are sunsetting. Oregon's 30-day cure period ended in January 2026. Enforcement is hardening as these grace periods close, not loosening.

How Do State Privacy Laws Differ from the GDPR?

US state privacy laws and the EU's GDPR share the same broad goal: consumer control over personal data. They diverge sharply on the default model and scope.

AttributeUS state laws (typical)EU GDPR
Consent modelOpt-out: process until a resident opts outOpt-in: consent required before processing
Trigger for coverageConsumer-count or revenue threshold per stateAny processing of an EU resident's data, regardless of size
EnforcementState Attorney General, mostlyNational supervisory authority (DPA) per country
Universal opt-outRequired in a growing number of statesNot a defined mechanism under GDPR

The practical effect: a US business can legally process a resident's data by default, and only has to stop when that resident opts out. Under the EU privacy regulation, the same business needs a valid legal basis, usually consent, before it starts processing at all. US state laws also exclude publicly available information from their scope. GDPR makes no such carve-out.

What US State Privacy Laws Mean for Your Website and Cookies

Across the state laws above, a covered website needs to take the same handful of concrete actions.

  • Post a clear privacy notice, meaning your cookie, privacy, and terms policies are accurate and current
  • Show US visitors a way to opt out of targeted-advertising cookies and data sales, typically through a consent banner and a "Do Not Sell or Share" link
  • Honor recognized universal opt-out signals where the state requires it
  • Get affirmative consent before loading anything that processes sensitive data
  • Keep records of consent choices as proof if a regulator ever asks

The targeted-advertising opt-out is where cookie consent meets US state law most directly. The same banner that manages cookie categories usually satisfies the "opt out of sale and targeted advertising" requirement across every state that has one.

How Consently Helps You Meet US State Opt-Out and Consent Requirements

Consently helps you operate the consumer-facing side of US state-law compliance. It shows US visitors an opt-out consent banner with a "Do Not Sell or Share My Personal Information" control. It also automatically switches banner behavior by region.

Consently's CCPA / US State Laws opt-out template gives US visitors an opt-out banner with a Do-Not-Sell control. Its automatic geotargeting shows EU visitors the opt-in model GDPR requires instead. The same account handles both, so you do not need separate tools for separate regions.

Two features back up the day-to-day work. Consent logs with export keep an audit trail of who opted out and when, useful if a state Attorney General asks for proof. The cookie, privacy, and terms policy generators produce the clear privacy notice these laws require, without starting from a blank page.

Consently does not detect or honor browser-level universal opt-out signals like Global Privacy Control. If your business falls under a state law that requires honoring UOOM signals, that is a separate technical obligation you need to meet another way.

Consently also does not make a site "compliant" on its own. It supports specific consent and disclosure tasks; legal compliance for your business remains your responsibility. Set up your opt-out banner and Do-Not-Sell control, or try Consently free to see the dashboard first.

FAQs

How many states have data privacy laws in 2026?

About 20 US states have a comprehensive consumer privacy law in effect as of 2026. Two more, Oklahoma and Alabama, have enacted laws that are not yet active. The exact count keeps rising as new laws take effect.

Which US state has the strictest privacy law?

California is the most comprehensive, and the only state with a limited private right of action. Maryland and Colorado rank among the strictest on data minimization and universal opt-out requirements.

Do US state privacy laws apply to small businesses?

Usually only if you meet a state's thresholds, often around 100,000 residents, or a lower count paired with revenue from selling data. Many small, single-state sites fall below these thresholds, but Texas and Nebraska drop the count threshold entirely, so check each state where you operate.

Is there a federal US data privacy law?

No comprehensive federal privacy law exists. The US relies on state laws plus sector-specific federal rules, such as HIPAA for health data and GLBA for financial data.

What rights do most US state privacy laws give consumers?

Access, correction, deletion, and data portability, plus the right to opt out of targeted advertising, the sale of personal data, and certain profiling. Sensitive data usually needs opt-in consent first.

Which new state privacy laws take effect in 2026?

Indiana, Kentucky, and Rhode Island all took effect January 1, 2026, with mid-year changes including Connecticut's lowered consumer threshold in July.

Do US state privacy laws have a private right of action?

Almost none do. California is the one exception, and only for a limited set of data breach claims. Every other state's law is enforced solely by the state Attorney General.

What is a universal opt-out mechanism?

A universal opt-out mechanism (UOOM) is a browser- or device-level signal, most commonly Global Privacy Control. It tells every website at once that a visitor opts out of targeted advertising and data sales. A growing number of states require businesses to honor it.

How do US state privacy laws affect my cookie banner?

Most state laws require a way for US visitors to opt out of targeted-advertising cookies and data sales. Your cookie banner typically handles this through a "Do Not Sell or Share" control alongside standard consent categories.

AUTHOR

Riad Us Salehin is the content lead at Dorik. He is a passionate content creator who lets the work speak for itself. Focused on taking brands and causes to the next level.

Read More

Subscribe to Consently
Newsletter

Subscribe to our newsletter to stay updated with latest articles from our blog.

Built with ❤️ by the team @ Dorik.com 

GET IN TOUCH

Any questions? Feel free to chat with us or reach out to us at

For any queries:
support@consently.net

Follow us:


©2026 Dorik, Inc. All rights reserved.