The United States has no comprehensive federal privacy law. Instead, a rapidly growing patchwork of state privacy laws governs how organizations collect, process, and share consumer personal data. As of early 2026, over 20 states have enacted comprehensive consumer privacy legislation, with 8 new laws taking effect in 2025 alone and additional states following in 2026 and 2027.
State Privacy Laws by Effective Date
| State | Law | Effective Date |
|---|---|---|
| California | CCPA/CPRA | Jan 2020 / Jan 2023 |
| Virginia | VCDPA | Jan 2023 |
| Colorado | CPA | Jul 2023 |
| Connecticut | CTDPA | Jul 2023 |
| Utah | UCPA | Dec 2023 |
| Oregon | OCPA | Jul 2024 |
| Texas | TDPSA | Jul 2024 |
| Montana | MCDPA | Oct 2024 |
| Delaware | DPDPA | Jan 2025 |
| Iowa | ICDPA | Jan 2025 |
| Nebraska | NDPA | Jan 2025 |
| New Hampshire | NHPA | Jan 2025 |
| New Jersey | NJDPA | Jan 2025 |
| Tennessee | TIPA | Jul 2025 |
| Minnesota | MCDPA | Jul 2025 |
| Maryland | MODPA | Oct 2025 |
| Indiana | INPA | Jan 2026 |
| Kentucky | KCDPA | Jan 2026 |
| Rhode Island | RIDPA | Jan 2026 |
Additional states have enacted laws with effective dates in 2026 and 2027, and new legislation is introduced every legislative session.
Core Consumer Rights
Most state privacy laws grant consumers a similar set of rights, though specifics vary:
| Right | Description | Notable Variations |
|---|---|---|
| Right to Know | Access what personal data is collected and how it’s used | Universal across all states |
| Right to Delete | Request deletion of personal data | Exceptions vary significantly by state |
| Right to Correct | Correct inaccurate personal data | Not included in all states (missing in Utah, Iowa) |
| Right to Portability | Receive personal data in a portable format | Universal but format requirements differ |
| Right to Opt-Out of Sale | Opt out of the sale of personal data | Definition of “sale” varies widely |
| Right to Opt-Out of Targeted Advertising | Opt out of targeted advertising using personal data | Most states include this |
| Right to Opt-Out of Profiling | Opt out of automated decision-making with legal effects | Included in newer laws |
Key Variations Between States
California (CCPA/CPRA): The Strictest
California remains the most stringent and prescriptive state privacy law. It provides a private right of action for data breaches involving unencrypted personal information. The California Privacy Protection Agency is a dedicated enforcement agency, unique among states. The law covers employees and B2B contacts, which most other states exempt. Data minimization requirements apply, along with risk assessments for high-risk processing activities. The Texas Attorney General’s $1.375 billion penalty against Google in 2025 demonstrates aggressive state enforcement even outside California.
Opt-Out Mechanisms
California, Colorado, Connecticut, Montana, and Texas require businesses to honor Global Privacy Control (GPC) browser signals as valid opt-out requests. Several states require businesses to honor technology-based universal opt-out mechanisms, reducing the need for consumer-by-consumer requests.
Enforcement Models
| Model | States | Implication |
|---|---|---|
| AG enforcement only | Most states | Attorney General is sole enforcer |
| Dedicated agency | California (CPPA) | More active, specialized enforcement |
| Private right of action | California (limited to breaches) | Consumers can sue directly |
| Cure period | Many states (30-60 days) | Organizations get time to fix violations before penalties |
Compliance Strategy
Map to the Strictest Standard
Rather than building 20+ separate compliance programs, use CPRA as the baseline since compliance with California’s requirements will likely meet most other states’ requirements. Layer state-specific requirements on top, addressing specific variations like GPC signal support, cure periods, and employee data scope. Maintain a single privacy policy that covers all applicable state requirements.
Technical Implementation
Deploy a consent management platform that supports GPC signal detection and state-specific opt-out workflows. Build automated workflows for access, deletion, correction, and opt-out requests that scale across states. Maintain a current data processing inventory documenting what data is collected, why, where it is stored, who has access, and what third parties receive it. Ensure all data processing agreements with vendors include privacy obligations that satisfy the most restrictive applicable state law.
Practical Steps
Most state laws apply based on thresholds, such as processing data of 100,000 or more state residents, or 25,000 or more with revenue from data sales. Map all personal data collection, processing, storage, and sharing. Make sure privacy policy disclosures cover all applicable state requirements. Support GPC signals and provide clear opt-out links for sale, targeted advertising, and profiling. Automate data subject request fulfillment since manual processing does not scale as states multiply. Train customer-facing and data-handling staff on privacy obligations. New state privacy laws are introduced every legislative session, so maintain a regulatory tracking process.