How many US states have comprehensive privacy laws in 2026?

As of mid-2026, 20 states have enacted comprehensive consumer privacy laws: California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Iowa (ICDPA), Indiana (INCDPA), Tennessee (TIPA), Montana (MCDPA), Texas (TDPSA), Oregon (OCPA), Delaware (DPDPA), New Hampshire (SB 255), New Jersey (SB 332), Nebraska (NDPA), Kentucky (KCDPA), Maryland (MODPA), Minnesota (MCDPA), Rhode Island (RIDPA), and Vermont (VDPA). Several additional states have bills in active legislative sessions.

Which state privacy law is the strictest?

Maryland Online Data Privacy Act (MODPA), effective October 2025, is arguably the strictest because it requires data minimization by default (businesses can only collect data reasonably necessary for providing the requested service), mandates opt-in consent for sensitive data processing, prohibits selling data of consumers under 18 entirely, and includes a private right of action provision effective in 2027. California CPRA remains the most comprehensive in total scope due to its dedicated enforcement agency (CPPA) and detailed rulemaking on ADMT and cybersecurity audits.

Do I need to comply with every state privacy law separately?

Not independently, but you must ensure your compliance program covers the requirements of each state where you meet the applicability thresholds. The efficient approach is to build a baseline at the strictest standard — usually a combination of California CPRA and Maryland MODPA requirements — and then add state-specific elements like unique consumer rights, varying cure periods, or specific opt-out mechanisms. A single comprehensive privacy program can satisfy most state requirements with targeted adjustments.

What is a universal opt-out mechanism?

A universal opt-out mechanism (UOOM) is a browser signal, device setting, or software tool that communicates a consumer opt-out preference to every website or app they interact with. The most widely adopted UOOM is Global Privacy Control (GPC), which sends a Sec-GPC: 1 HTTP header to websites. Over a dozen state laws now require businesses to honor these signals, making technical GPC detection and response a compliance requirement for most businesses operating in multiple states.

What happens when a federal privacy law passes?

The American Privacy Rights Act (APRA) and similar federal proposals would create a national privacy standard, potentially preempting some state law provisions. However, California and several other states have negotiated for carve-outs protecting their existing laws. Even if a federal law passes, it is likely to set a floor rather than a ceiling — meaning state laws with stricter protections (particularly California and Maryland) may continue to apply. Investments in state-level compliance will transfer to any federal framework.

State Privacy Law Tracker: New Regulations Taking Effect in 2026

The US state privacy landscape changed more between 2023 and 2026 than in the entire decade before it. What started as a California-only story with the CCPA in 2018 has become a patchwork of 20 state laws — each with its own effective date, consumer rights menu, business thresholds, enforcement structure, and cure period. In 2025 and 2026 alone, eight new state laws took effect, and several more states have bills in active legislative sessions.

This tracker covers every enacted state privacy law through mid-2026, explains what changed for businesses as each new law came online, and provides a practical framework for building a multi-state compliance program without duplicating effort for each jurisdiction.

The Current Landscape: 20 States and Counting

US state privacy laws fall into two broad models. Understanding which model a state follows tells you most of what you need to know about its requirements:

California model — opt-out approach for sensitive data, broader definition of covered businesses (revenue-based threshold), dedicated enforcement agency, private right of action for data breaches, rulemaking authority. Only California currently uses this model fully
Virginia/uniform model — opt-in consent for sensitive data, narrower business thresholds (consumer count based), AG-only enforcement, no private right of action, 30-60 day cure period (though some states are sunsetting cure periods). Most other states follow this model with variations

Maryland's Online Data Privacy Act (MODPA) is an outlier — it follows the Virginia model's structure but adds California-level strictness in several areas, including data minimization requirements that exceed even CPRA's and a complete ban on selling minor data.

Wave One: The First Five (2020-2024)

These five states were the early adopters, establishing the templates that later states would follow or deviate from.

California — CCPA/CPRA

Effective: CCPA January 2020; CPRA amendments January 2023
Thresholds: 25 million dollars annual revenue, OR 100,000 consumers/households, OR 50 percent revenue from selling/sharing PI
Consumer rights: Know, delete, correct, opt-out of sale/sharing, limit SPI use, opt-out of ADMT, non-discrimination (7 total)
Sensitive data: Opt-out model (consumers can limit use after collection)
Enforcement: CPPA (primary) + AG; no cure period as of January 2023
Universal opt-out: Required (GPC mandated by CPPA regulations)
Key distinction: Only state with a dedicated privacy enforcement agency, the most detailed rulemaking on ADMT and cybersecurity audits, and the "sharing" concept for cross-context behavioral advertising

Virginia — VCDPA

Effective: January 2023
Thresholds: Control/process PI of 100,000 consumers, OR 25,000 consumers with 50 percent revenue from PI sales
Consumer rights: Access, correct, delete, data portability, opt-out of sale/targeted ads/profiling (6 total)
Sensitive data: Opt-in consent required before processing
Enforcement: AG only; 30-day cure period (permanent)
Universal opt-out: Not required
Key distinction: Became the template for most subsequent state laws. The permanent 30-day cure period is business-friendly. Virginia does not cover employee or B2B data

Colorado — CPA

Effective: July 2023
Thresholds: Control/process PI of 100,000 consumers, OR 25,000 consumers with revenue from selling PI
Consumer rights: Access, correct, delete, portability, opt-out of sale/targeted ads/profiling (6 total)
Sensitive data: Opt-in consent required
Enforcement: AG + District Attorneys; 60-day cure period (sunset January 2025)
Universal opt-out: Required (effective July 2024)
Key distinction: First state after California to mandate universal opt-out. The cure period sunset means Colorado now enforces without giving businesses a fix-first window. Colorado's AG office has been particularly active in enforcement

Connecticut — CTDPA

Effective: July 2023
Thresholds: Control/process PI of 100,000 consumers, OR 25,000 consumers with more than 25 percent revenue from PI sales
Consumer rights: Access, correct, delete, portability, opt-out of sale/targeted ads/profiling (6 total)
Sensitive data: Opt-in consent required
Enforcement: AG only; 60-day cure period (sunset December 2024)
Universal opt-out: Required (effective January 2025)
Key distinction: Very similar to Colorado. Connecticut added specific protections for minors aged 13-16 and requires consent management mechanisms for teenagers

Utah — UCPA

Effective: December 2023
Thresholds: 25 million dollars annual revenue AND control/process PI of 100,000 consumers, OR 50 percent revenue from selling PI
Consumer rights: Access, delete, portability, opt-out of sale/targeted ads (4 total — no correction right)
Sensitive data: Opt-out model (similar to California)
Enforcement: AG only; no cure period in statute but AG can grant one at discretion
Universal opt-out: Not required
Key distinction: Most business-friendly comprehensive state law. The AND connector on thresholds (revenue AND consumer count) narrows applicability. Fewest consumer rights. Only state besides California using an opt-out approach for sensitive data

2025 was the biggest year for new state privacy laws, with nine states activating comprehensive privacy regulations.

Wave Two: 2024 Effective Dates

Three states went live in 2024, each adding wrinkles to the emerging compliance landscape.

Texas — TDPSA

Effective: July 2024
Thresholds: No revenue or consumer count threshold — applies to any person conducting business in Texas that processes PI AND is not a "small business" as defined by the SBA (generally under 500 employees depending on industry). This is the broadest applicability threshold of any state
Consumer rights: Access, correct, delete, portability, opt-out of sale/targeted ads/profiling (6 total)
Sensitive data: Opt-in consent required
Enforcement: AG only; 30-day cure period (permanent)
Universal opt-out: Required (effective January 2025)
Key distinction: Broadest applicability of any state — most businesses operating in Texas must comply regardless of size. Combined with Texas's 30 million population, this makes TDPSA compliance unavoidable for most nationwide businesses

Oregon — OCPA

Effective: July 2024
Thresholds: Control/process PI of 100,000 consumers, OR 25,000 consumers with more than 25 percent revenue from selling PI
Consumer rights: Access, correct, delete, portability, opt-out of sale/targeted ads/profiling, list of third parties (7 total)
Sensitive data: Opt-in consent required
Enforcement: AG only; 30-day cure period (sunset January 2026)
Universal opt-out: Required (effective January 2026)
Key distinction: Oregon goes further than most Virginia-model states by covering nonprofit organizations (most state laws exempt nonprofits). It also provides a right to obtain a list of all third parties to whom data has been disclosed — unique among state laws

Montana — MCDPA

Effective: October 2024
Thresholds: Control/process PI of 50,000 consumers (lower than most states, reflecting Montana's smaller population), OR 25,000 consumers with more than 25 percent revenue from PI sales
Consumer rights: Access, correct, delete, portability, opt-out of sale/targeted ads/profiling (6 total)
Sensitive data: Opt-in consent required
Enforcement: AG only; 60-day cure period (sunset April 2026)
Universal opt-out: Required (effective October 2025)
Key distinction: Lowest consumer count threshold of any state (50,000), adjusted for Montana's smaller population. This means businesses that might fall below other states' 100,000-consumer thresholds could still be covered in Montana

Wave Three: 2025 — The Biggest Year Yet

2025 saw nine state privacy laws take effect, making it the single most active year for new privacy regulations. Here are the notable additions:

Iowa — ICDPA (effective January 2025)

Follows the Virginia model closely. Thresholds: 100,000 consumers or 25,000 consumers with 50 percent PI sale revenue. Consumer rights: access, delete, portability, opt-out of sale/targeted ads (5 total — no correction right, similar to Utah). Opt-in for sensitive data. AG enforcement only with a 90-day cure period — the longest of any state. No universal opt-out requirement. Iowa's law is the most business-friendly law enacted since Utah.

Delaware — DPDPA (effective January 2025)

Applies to businesses processing PI of 35,000 Delaware consumers (the lowest revenue-free threshold alongside Montana's 50,000) or 10,000 consumers with PI sale revenue. Consumer rights mirror Virginia (6 total). Opt-in for sensitive data. Cure period: 60 days, sunsetting December 2025. Universal opt-out required effective January 2026. Notable: Delaware explicitly covers data about consumers under 18 with heightened protections and prohibits targeted advertising to known minors.

Nebraska — NDPA (effective January 2025)

Unlike most states, Nebraska's law has no threshold at all — it applies to any person that conducts business in Nebraska or produces products/services consumed by Nebraska residents AND processes personal data. This is similar to Texas's broad applicability but even simpler. Consumer rights: access, correct, delete, portability, opt-out of sale/targeted ads/profiling (6 total). Opt-in for sensitive data. No cure period. Universal opt-out required. Nebraska's combination of no threshold and no cure period makes it among the strictest for small businesses.

New Hampshire — SB 255 (effective January 2025)

Standard Virginia model: 35,000 consumers or 10,000 consumers with PI sale revenue. Six consumer rights. Opt-in for sensitive data. AG enforcement with 60-day cure period. Universal opt-out required effective January 2025 (day one). Closely mirrors Connecticut's approach.

New Jersey — SB 332 (effective January 2025)

Thresholds: 100,000 consumers or 25,000 consumers with PI sale revenue. Seven consumer rights (adds the right to know specifics about automated profiling). Opt-in for sensitive data. AG enforcement with 30-day cure period (sunset July 2026). Universal opt-out required. Notable: New Jersey has broader definitions than most states — it explicitly includes inferences drawn from other PI categories as a separate category of personal information.

Tennessee — TIPA (effective July 2025)

Thresholds: 25 million dollars revenue AND 25,000 consumers with 50 percent PI sale revenue (high bar — both conditions must be met). Six consumer rights. Opt-in for sensitive data. AG enforcement with 60-day cure period (permanent). No universal opt-out requirement. Tennessee is one of the most business-friendly laws due to its high AND-connected threshold.

Indiana — INCDPA (effective January 2026)

Standard Virginia model: 100,000 consumers or 25,000 consumers with more than 50 percent PI sale revenue. Six consumer rights. Opt-in for sensitive data. AG enforcement with 30-day cure period (permanent). No universal opt-out requirement. Indiana follows the Virginia template closely with minimal deviations.

Kentucky — KCDPA (effective January 2026)

Same thresholds as Indiana and Virginia. Six consumer rights. Opt-in for sensitive data. AG enforcement with 30-day cure period (sunset January 2028). No universal opt-out requirement. Kentucky covers nonprofit organizations, following Oregon's approach.

Maryland — MODPA (effective October 2025)

Maryland's Online Data Privacy Act is the most significant law enacted after California's CPRA and pushes the strictest-standard conversation further. Key features:

Data minimization: Businesses may only collect data that is "reasonably necessary and proportionate" to provide the specific service the consumer requested — stronger than CPRA's language
Sensitive data: Opt-in consent required, plus children under 18 receive heightened protections
No sale of minor data: Businesses cannot sell or share PI of consumers known to be under 18 — a complete prohibition, not just an opt-out/opt-in mechanism
Geofencing prohibition: Businesses cannot use geofencing to collect data, send notifications, or target advertising within a prescribed radius of mental health, reproductive health, substance abuse treatment, or domestic violence facilities
Private right of action: Available starting in 2027, making Maryland only the second state after California to grant consumers the ability to sue directly
Universal opt-out: Required

Wave Four: 2026 Additions

Three additional states activated privacy laws in 2026:

Minnesota — MCDPA (effective July 2026)

Minnesota's law is notable for its broad consumer rights that include a right to question the result of profiling and a right to obtain a meaningful explanation about automated processing. Thresholds: 100,000 consumers or 25,000 consumers with PI sale revenue. Universal opt-out required. Minnesota's profiling-related rights align with the CPPA's ADMT regulations in California, signaling a trend toward AI transparency in privacy law.

Rhode Island — RIDPA (effective January 2026)

Standard Virginia model with 35,000 consumer threshold. Six consumer rights. Opt-in for sensitive data. AG enforcement. Notable for its broad definition of sensitive data which explicitly includes citizenship and immigration status.

Vermont — VDPA (effective July 2026)

Vermont's law replaces its earlier data broker registration law with a comprehensive privacy framework. It includes a private right of action (the third state after California and Maryland), requires data minimization, and mandates universal opt-out compliance. Vermont explicitly prohibits discrimination based on exercising privacy rights and includes strong protections for employee data that most other state laws exclude.

Key Variations Across States

When building a multi-state compliance program, these are the dimensions where state laws diverge most significantly:

Sensitive Data Treatment

Almost every state except California and Utah requires opt-in consent before processing sensitive data. The practical implication: if you operate in any opt-in state (which includes Virginia, Colorado, Connecticut, Texas, Oregon, and virtually all states enacted after 2022), you must implement opt-in consent for sensitive data categories regardless of California's lenient opt-out approach. Build for opt-in and you satisfy both models.

Cure Periods

Cure periods range from 0 days (California, Nebraska, Colorado post-2025) to 90 days (Iowa). Many states enacted cure periods with sunset provisions, meaning they will eventually be eliminated. By 2028, most states with sunset provisions will have shifted to no-cure enforcement. The trend is clear — businesses should not rely on cure periods as a safety net.

Most cure period sunset provisions will eliminate fix-first windows by 2028. GPC support is already required in over half of privacy law states.

Universal Opt-Out Mechanisms

Over half the states with comprehensive privacy laws now mandate honoring universal opt-out mechanisms. In practice, this means GPC support is a technical requirement for virtually any business operating in multiple states. The states requiring it as of mid-2026 include: California, Colorado, Connecticut, Texas, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Delaware, Minnesota, Maryland, and Vermont. The states that do not require it — Virginia, Utah, Iowa, Tennessee, Indiana, Kentucky, Rhode Island — are increasingly the exceptions.

Children's Data Protections

Several states go beyond the standard opt-in for sensitive data when it comes to minors:

California — opt-in required for sale/sharing for minors under 16; parental opt-in for under 13; 7,500 dollar per-violation penalty for child data violations
Maryland — complete prohibition on selling or sharing PI of consumers known to be under 18
Delaware — prohibits targeted advertising to consumers known to be under 18
Connecticut — heightened protections for minors aged 13-16 including dark pattern prohibitions
Oregon — heightened protections for minors under 16

The trend toward stricter children's data protections at the state level mirrors the federal push through COPPA 2.0 proposals and suggests businesses should build age-gating and parental consent mechanisms proactively.

Nonprofit Coverage

Most state laws exempt nonprofit organizations. However, Oregon and Kentucky include nonprofits in their coverage. If your organization is a nonprofit with national reach, verify your status under each state law — the exemption is not universal.

Building a Multi-State Compliance Program

Managing 20 different compliance regimes individually is neither practical nor necessary. Here is the framework for building a unified program:

Step 1: Map Your State Exposure

For each state with a privacy law, determine whether you meet the applicability thresholds. This requires knowing how many consumers you interact with in each state, your revenue breakdown, and whether your PI processing includes sales or sharing. Remember that states like Texas and Nebraska have no consumer-count threshold — any business operating there is likely covered.

Step 2: Build to the Strictest Standard

Set your compliance baseline at the strictest requirements across all applicable states. In practice, this means:

Consumer rights: Implement all 7 rights from CPRA (know, delete, correct, opt-out sale/sharing, limit SPI, opt-out ADMT, non-discrimination). This covers every state's rights menu
Sensitive data: Use opt-in consent as the default for sensitive data processing. This satisfies the Virginia-model states and exceeds California and Utah's opt-out approach
Data minimization: Apply Maryland/CPRA-level data minimization — collect only what is reasonably necessary for the specific service requested
Universal opt-out: Implement GPC detection and response. With 13+ states requiring it, this is functionally mandatory
No cure reliance: Treat cure periods as irrelevant — build compliance as if no cure period exists

Step 3: Implement State-Specific Adjustments

Layered on top of your baseline:

Maryland-specific: Geofencing prohibition near sensitive facilities, complete ban on selling minor data under 18
California-specific: "Limit the Use of My Sensitive Personal Information" link, CPPA-mandated cybersecurity audits and risk assessments, "sharing" disclosures for cross-context behavioral advertising
Oregon-specific: Right to obtain third-party disclosure list, nonprofit compliance if applicable
Minnesota-specific: Right to question automated profiling results, meaningful explanations of automated processing
Vermont-specific: Employee data protections, private right of action considerations

Step 4: Automate Where Possible

A consent management platform (CMP) configured for multi-state compliance handles the most variable elements automatically: displaying the right opt-out links based on the consumer's state, processing GPC signals, managing state-specific consent preferences, and routing consumer rights requests to the correct fulfillment workflows. Leading CMPs for multi-state compliance include OneTrust, Securiti, Osano, and Transcend.

Step 5: Monitor the Pipeline

Additional states will continue enacting privacy laws. As of mid-2026, active bills are pending in Pennsylvania, Michigan, Ohio, Massachusetts, New York, and several other states. Building a modular compliance framework from the start means new laws require adjustments to your state-specific layer rather than rebuilding from scratch.

Enforcement Trends Across States

Enforcement patterns vary significantly by state. Understanding who is actively enforcing (and how) helps you prioritize your compliance efforts:

California CPPA — most active. Dedicated staff, rulemaking authority, administrative enforcement. Priorities include GPC compliance, data broker obligations, ADMT transparency, and age-appropriate design
California AG — continues to bring larger civil actions. The Sephora settlement (1.2 million dollars), DoorDash (375,000 dollars), and several ongoing investigations
Colorado AG — second most active. Has issued multiple investigative demands and published detailed compliance guidance. Focus areas include universal opt-out compliance and dark patterns in consent interfaces
Connecticut AG — has initiated investigations into data practices of online platforms targeting minors and companies using dark patterns in cookie consent notices
Texas AG — has investigated and brought actions against data brokers and companies failing to provide opt-out mechanisms. Texas's broad applicability means enforcement affects a wide range of businesses
Other states — most other state AGs have issued guidance documents but have not yet completed public enforcement actions as of mid-2026. This will change as offices build capacity and cure periods expire

The Federal Preemption Question

Every state privacy law discussion leads to the same question: will a federal law preempt state laws? The short answer is not yet, and possibly not completely.

The American Privacy Rights Act (APRA) introduced in Congress in 2024 proposed comprehensive federal standards with partial preemption of state laws. Key sticking points include California's insistence on preserving the CPRA and CPPA, Illinois's defense of its Biometric Information Privacy Act (BIPA), and general disagreement over whether consumers should have a private right of action.

As of mid-2026, no federal comprehensive privacy bill has passed. Even if one does, the likeliest outcome is a federal floor with certain state provisions preserved — meaning California, Maryland, and other states with unique provisions would retain at least some of their additional protections.

The practical takeaway: build for state-level compliance today. The investment is not wasted regardless of what happens at the federal level, because any federal law will incorporate most of the same concepts (consumer rights, data minimization, opt-out mechanisms, enforcement) that state laws already require.

What to Watch in the Second Half of 2026

Several developments will shape the privacy landscape in the coming months:

CPPA ADMT regulations — California's automated decision-making technology rules are the most detailed of any state and will influence how other states approach AI regulation
Maryland private right of action — effective in 2027, Maryland's PRA will be the first new state-level private right of action since California. Its scope and early cases will signal whether other states follow
Oregon cure period sunset — Oregon's 30-day cure period expires in January 2026, bringing another state into no-cure enforcement
New York and Pennsylvania bills — both states have large populations and active legislative sessions. Passage in either state would significantly expand the compliance footprint for nationwide businesses
Children's privacy wave — multiple states have additional children's online safety bills pending that supplement or extend comprehensive privacy laws with age-appropriate design codes

The Bottom Line

Twenty state privacy laws in effect. Thirteen requiring universal opt-out support. Cure periods sunsetting across multiple states. Dedicated enforcement agencies investigating actively. And more states in the legislative pipeline.

The days of a single-state compliance approach are over. Businesses operating nationwide need a unified privacy program that builds to the strictest standard, automates state-specific adjustments, honors GPC signals universally, uses opt-in consent for sensitive data by default, and monitors the pipeline for new legislation. The organizations that build this infrastructure now will spend less time reacting to each new law and more time operating with confidence across all 50 states — regardless of how many pass comprehensive privacy legislation next.