U.S. state privacy law comparison 2026
As of 2026, 20 U.S. states have comprehensive data privacy laws. This guide compares thresholds, consumer rights, and effective dates side by side.
U.S. State Privacy Laws: The 2026 Comparison Guide
Twenty U.S. states now have comprehensive data privacy laws in effect. Five years ago, it was one. If your business collects personal data from American residents, the compliance picture has changed dramatically since California first passed the California Consumer Privacy Act (CCPA) in 2018. Indiana, Kentucky, and Rhode Island all joined the landscape on January 1, 2026, and more states are expected to follow in 2027.
This guide maps every active U.S. state privacy law, compares the thresholds that determine whether your business is in scope, explains the consumer rights each law requires you to support, and shows you what the 2026 changes mean in practice.
Key takeaways
- 20 U.S. states have comprehensive data privacy laws as of 2026, up from just 1 (California) in 2018.
- Indiana, Kentucky, and Rhode Island are the newest additions, all effective January 1, 2026.
- Applicability thresholds vary: Rhode Island's is as low as 35,000 consumers, the lowest of any state.
- Six core consumer rights appear in almost every state law: access, deletion, correction, portability, opt-out, and non-discrimination.
- California is the only state with a private right of action, allowing consumers to sue for data breaches.
- There is still no comprehensive federal privacy law, making multi-state compliance the reality for most businesses that serve U.S. customers online.
What are U.S. state privacy laws?
U.S. state privacy laws are state-level regulations that give consumers rights over how businesses collect, process, and share their personal data. As of 2026, 20 states have enacted comprehensive consumer data privacy laws. Each law sets its own applicability thresholds, consumer rights, and enforcement mechanisms, creating a patchwork framework that businesses must navigate in the absence of a single federal standard.
Which states have data privacy laws in 2026?
According to the IAPP's U.S. State Privacy Legislation Tracker, 20 states now have comprehensive consumer privacy laws on the books. The first five were California, Virginia, Colorado, Connecticut, and Utah. The most recent three, Indiana, Kentucky, and Rhode Island, became effective on January 1, 2026.
Here is the full list as of June 2026:
State | Law | Abbreviation | Effective date | Enforced by |
|---|---|---|---|---|
CA | California Consumer Privacy Act / California Privacy Rights Act | CCPA/CPRA | Jan 1, 2020 / Jan 1, 2023 | CA Privacy Protection Agency (CPPA) |
VA | Virginia Consumer Data Protection Act | VCDPA | Jan 1, 2023 | Virginia Attorney General |
CO | Colorado Privacy Act | CPA | Jul 1, 2023 | Colorado Attorney General |
CT | Connecticut Data Privacy Act | CTDPA | Jul 1, 2023 | Connecticut Attorney General |
UT | Utah Consumer Privacy Act | UCPA | Dec 31, 2023 | Utah Attorney General / Div. of Consumer Protection |
TX | Texas Data Privacy and Security Act | TDPSA | Jul 1, 2024 | Texas Attorney General |
OR | Oregon Consumer Privacy Act | OCPA | Jul 1, 2024 | Oregon Attorney General |
MT | Montana Consumer Data Privacy Act | MCDPA | Oct 1, 2024 | Montana Attorney General |
FL | Florida Digital Bill of Rights | FDBR | Jul 1, 2024 | Florida Attorney General (narrow scope) |
DE | Delaware Personal Data Privacy Act | DPDPA | Jan 1, 2025 | Delaware Attorney General |
IA | Iowa Consumer Data Protection Act | ICDPA | Jan 1, 2025 | Iowa Attorney General |
MD | Maryland Online Data Privacy Act | MODPA | Oct 1, 2025 | Maryland Attorney General |
MN | Minnesota Consumer Data Privacy Act | MNDPA | Jul 31, 2025 | Minnesota Attorney General |
NE | Nebraska Data Privacy Act | NDPA | Jan 1, 2025 | Nebraska Attorney General |
NH | New Hampshire Privacy Act | NHPA | Jan 1, 2025 | New Hampshire Attorney General |
NJ | New Jersey Data Privacy Act | NJDPA | Jan 15, 2025 | New Jersey Attorney General |
TN | Tennessee Information Protection Act | TIPA | Jul 1, 2025 | Tennessee Attorney General |
IN | Indiana Consumer Data Protection Act | INCDPA | Jan 1, 2026 (NEW) | Indiana Attorney General |
KY | Kentucky Consumer Data Protection Act | KCDPA | Jan 1, 2026 (NEW) | Kentucky Attorney General |
RI | Rhode Island Data Transparency and Privacy Protection Act | RIDTPPA | Jan 1, 2026 (NEW) | Rhode Island Attorney General |
Note: Florida's Digital Bill of Rights has a narrower scope than other comprehensive state laws and applies only to large technology companies with annual global revenues over $1 billion.
How do U.S. state privacy laws compare?
The laws share a common structure but differ on the details that matter most: who they apply to, what rights consumers get, and how aggressively they are enforced. The table below compares the six most significant state privacy laws.
For a detailed comparison of the CCPA and VCDPA specifically, see our post on the differences between the VCDPA and CCPA.
CA (CCPA/CPRA) | VA (VCDPA) | CO (CPA) | CT (CTDPA) | TX (TDPSA) | RI (RIDTPPA) | |
|---|---|---|---|---|---|---|
Effective date | Jan 2020 | Jan 2023 | Jul 2023 | Jul 2023 | Jul 2024 | Jan 2026 |
Consumer threshold | 100K consumers | 100K or 25K + 50% revenue | 100K or 25K + 50% revenue | 35K consumers; any sensitive data processing; or any sale of personal data | 100K or 25K + 50% revenue | 35K or 10K + 20% revenue |
Revenue threshold | $25M gross revenue | None | None | None | None | None |
Right to access | Yes | Yes | Yes | Yes | Yes | Yes |
Right to delete | Yes | Yes | Yes | Yes | Yes | Yes |
Right to correct | Yes (CPRA) | Yes | Yes | Yes | Yes | Yes |
Right to portability | Yes | Yes | Yes | Yes | Yes | Yes |
Opt-out of data sale | Yes | Yes | Yes | Yes | Yes | Yes |
Opt-out of targeted ads | Yes | Yes | Yes | Yes | Yes | Yes |
Private right of action | Yes (breaches only) | No | No | No | No | No |
Max penalty/violation | $7,500 (intentional) | $7,500 | $2K/consumer; $500K max | $5,000 | $7,500 | TBD (AG enforcement) |
Cure period | None | 30 days | None | 60 days | 30 days | None |
For the complete breakdown of Colorado and Connecticut requirements, see our guide to Colorado and Connecticut privacy laws.
What consumer rights do state privacy laws require?
Despite the variation across states, six core consumer rights appear in virtually every active state privacy law. Understanding these rights helps you build a compliance framework that holds across the whole map, not just one state.
The six core rights
Right to access: Consumers can request a copy of the personal data a business holds about them, including the categories of data collected, the purpose of collection, and any third parties it has been shared with.
Right to deletion: Consumers can request that a business delete their personal data. Most laws allow exceptions for data needed to complete a transaction, for security purposes, or where another law requires retention.
Right to correction: Consumers can ask a business to correct inaccurate personal data. This right is present in most state laws, though California only added it with the CPRA in 2023.
Right to portability: Consumers can request their data in a machine-readable format, making it easier to transfer to another service provider.
Right to opt out: Consumers can opt out of the sale of their personal data, the use of their data for targeted advertising, and, in most states, automated decision-making that produces significant legal effects.
Right to non-discrimination Businesses cannot deny services, charge higher prices, or provide a lower quality of service to consumers who exercise their privacy rights.
Handling data subject requests at scale
Facilitating these rights in practice requires a structured process for receiving, verifying, and responding to consumer requests within mandated timeframes (typically 45 days). Data subject request management tools can help you handle access, deletion, and correction requests efficiently across jurisdictions.
What are the applicability thresholds for each state privacy law?
Most state privacy laws only apply to businesses above a certain size, measured by the number of consumers whose data they process or their annual revenue. If you fall below these thresholds, most laws do not apply to you, though it is worth monitoring as thresholds can be amended.
State | Law | Consumer threshold | Revenue threshold | Data sale threshold |
|---|---|---|---|---|
CA | CCPA/CPRA | 100,000+ consumers or households/year | $25M+ annual gross revenue | Derive 50%+ revenue from selling personal data |
VA | VCDPA | 100,000+ consumers/year | None | 25,000+ consumers + 50%+ revenue from data sales |
CO | CPA | 100,000+ consumers/year | None | 25,000+ consumers + 50%+ revenue from data sales |
CT | CTDPA | 35,000+ consumers/year | None | Any revenue from data sales |
UT | UCPA | 100,000+ consumers/year | $25M+ annual revenue | 25,000+ consumers + 50%+ revenue from data sales |
TX | TDPSA | Processes data of Texas residents (no numeric threshold) | Small business exemption applies | Derive 50%+ revenue from selling personal data |
IN | INCDPA | 100,000+ consumers/year | None | 25,000+ consumers + 50%+ revenue from data sales |
KY | KCDPA | 100,000+ consumers/year | None | 25,000+ consumers + 50%+ revenue from data sales |
RI | RIDTPPA | 35,000+ consumers/year | None | 10,000+ consumers + 20%+ revenue from data sales |
Rhode Island's and Connecticut’s 35,000-consumer threshold are the lowest of any U.S. state privacy laws. A mid-sized e-commerce brand, a B2B SaaS company with a U.S. customer base, or any business that captures email addresses from Rhode Island or Connecticut residents at scale may now be in scope for a law they did not previously have to consider. The data sales alternative threshold of 10,000 consumers for Rhode Island is also notably low.
How are U.S. state privacy laws enforced?
Enforcement in almost all states runs through the state Attorney General's office. Businesses typically receive notice of a violation and a window to cure it before formal action is taken, though several states have removed cure periods entirely.
Key enforcement differences to know:
California is the only state where consumers can bring private lawsuits directly for data breaches under the CCPA. All other states limit enforcement to the AG.
California's CPPA has the most active enforcement record, with multiple investigations and fines since its formation.
Colorado and Rhode Island have no cure period, meaning violations can result in immediate formal enforcement action.
Virginia allows a 30-day cure period; Connecticut allows 60 days (reduced from 90 after 2024).
Indiana and Kentucky removed their cure periods before their laws even took effect, following the trend toward stricter enforcement that the 2026 state law changes highlighted by MultiState.
What do the 2026 changes mean for your business?
If you were already dealing with CCPA, you have a head start. Most of the new state laws follow a similar template. But the details that differ are the ones that can catch businesses off guard.
Three things that changed on January 1, 2026
Indiana, Kentucky, and Rhode Island went live. All three follow the Virginia-style template, which is slightly less demanding than California's. But Indiana and Kentucky removed their 30-day cure periods before the laws even took effect, a signal that enforcement will not be lenient.
Rhode Island lowered the bar for who is in scope. At 35,000 consumers, Rhode Island's threshold is roughly one-third of the 100,000-consumer bar most other states use. Many businesses that were below the threshold for every other state law may now need to act.
California added mandatory risk assessments. New California regulations that took effect January 1, 2026 require businesses to conduct privacy risk assessments for processing activities that present significant consumer risk. Initial assessments are due to the CPPA by April 1, 2028.
What most businesses need to do now
Audit which states where your website visitors come from. If Rhode Island residents are in your user base and you process their data, apply the 35,000-consumer threshold test.
Review your consent setup for each state. States vary on whether they require opt-in or opt-out models, how they handle sensitive data categories, and whether targeted advertising requires a separate opt-out signal.
Update your privacy policy to reflect which state laws now apply to your business and what rights consumers in each state can exercise.
Establish a process for data subject requests. Every active state law requires a response mechanism. If you are handling these manually, the addition of three new states is the time to automate.
How Clym supports multi-state consent and data privacy management
Managing consent requirements across 20 different state laws is not a project you want to handle manually. The requirements differ by state: what triggers the consent banner, whether the default is opt-in or opt-out, which tracking technologies need prior consent, and which signals like Global Privacy Controls (GPC) you need to honour.
Clym's consent management platform (CMP) uses location-based detection to identify each visitor's regulatory context and serves the appropriate consent experience automatically. A California visitor sees a CCPA-compliant experience. A Virginia visitor sees one built around the VCDPA. A Rhode Island visitor, effective January 2026, sees what that law now requires.
Clym's localization feature and geofencing handle this detection in the background. You configure the platform once; it adapts to every visitor's jurisdiction from there.
You can also browse all active U.S. and global data privacy regulations in Clym's regulations hub.
Conclusion
The U.S. privacy law landscape has changed more in the past five years than in the previous two decades. With 20 states now active and more expected before 2028, the question for most businesses is no longer whether state privacy laws apply to them. It is how many of them do.
The good news is that most state laws share a common architecture: similar consumer rights, similar applicability structures, and enforcement through state Attorneys General. If you understand how California, Virginia, and Colorado work, you have a solid foundation to build on. The differences that matter most are thresholds (Rhode Island's is the lowest), cure periods (several states have removed them), and sensitive data rules (California and Colorado are the most demanding).
Keeping up with a landscape that changes every year is where having the right tools makes a real difference. A consent management platform that adapts to each visitor's state saves you from building and maintaining 20 separate consent configurations yourself.
Frequently asked questions
As of 2026, 20 U.S. states have enacted comprehensive consumer data privacy laws. Indiana, Kentucky, and Rhode Island are the newest additions, all effective January 1, 2026. Several more states are expected to join the list before the end of 2027, though no new comprehensive state privacy laws were passed in 2025's legislative sessions.
Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and most other state privacy laws follow a similar structure to California's CCPA, granting rights to access, delete, and opt out of data sales. California remains the strictest, with enforcement by the dedicated California Privacy Protection Agency, mandatory risk assessments, and a private right of action for breaches. For a full side-by-side, see our VCDPA vs CCPA comparison.
Most state privacy laws include threshold requirements that exempt smaller businesses. Most states require businesses to process data of at least 100,000 consumers annually before the law applies. Rhode Island and Connecticut are the exception, with the lowest threshold of any state at 35,000 consumers, which means more mid-sized businesses may be in scope than they expect. Texas also applies broadly, with no fixed consumer threshold.
Most state privacy laws grant consumers six core rights: access to their data, the right to request deletion, the right to correct inaccurate data, data portability, the right to opt out of the sale of personal data, and non-discrimination for exercising those rights. Some states add rights to limit the use of sensitive data and to opt out of profiling used for automated decision-making.
As of 2026, the United States does not have a comprehensive federal consumer data privacy law. Federal sector-specific laws such as HIPAA (healthcare) and FERPA (education) exist, but there is no equivalent to the EU's GDPR covering all industries and consumer data broadly. The absence of a federal law is why each state has moved independently, creating the patchwork of 20 different frameworks that businesses operating across state lines must navigate today.
Adam is the Head of Digital Marketing at Clym, where he leverages his diverse expertise in marketing to support businesses with their compliance needs and drive awareness about data privacy and web accessibility. As one of the company’s original team members, Adam has been instrumental in shaping its journey from the very beginning. When he’s not diving into marketing strategies, Adam can be found cheering on his favorite sports teams or enjoying fishing.
