Blog Overview California (CCPA/CPRA) Virginia (VCDPA) Colorado (CPA) Connecticut (CTDPA) Texas (TDPSA) Other States Comparison Table Federal Outlook

The US Privacy Law Landscape

The United States has no comprehensive federal privacy law (yet). Instead, a patchwork of state laws has emerged, creating one of the most complex privacy regulatory environments in the world. As of 2026, over 20 states have enacted comprehensive consumer privacy legislation.

Key Context: Unlike GDPR which applies uniformly across the EU, each US state law has different thresholds, requirements, and enforcement mechanisms. If you do business nationally, you likely need to comply with multiple state laws.

California — CCPA & CPRA (The Gold Standard)

California leads US privacy regulation with the most comprehensive framework:

Who Must Comply

For-profit businesses that collect California residents' data and meet ONE of:

  • Annual gross revenue over $25 million
  • Buy, sell, or share data of 100,000+ consumers/households (CCPA) or 50,000+ (CPRA)
  • Derive 50%+ of revenue from selling personal data

Consumer Rights Under CPRA (2023+)

  • Right to know what data is collected
  • Right to delete personal information
  • Right to opt-out of sale and sharing
  • Right to correct inaccurate information
  • Right to limit use of sensitive personal information
  • Right to access information about automated decisions

Enforcement

The California Privacy Protection Agency (CPPA) enforces CPRA. Fines: $2,500 per violation (unintentional), $7,500 per violation (intentional or involving minors). Private right of action for data breaches.

Virginia — VCDPA

Virginia was the second state to pass comprehensive privacy legislation:

  • Threshold: Control/process data of 100,000+ consumers OR derive 50%+ of revenue from selling data of 25,000+ consumers
  • Key Rights: Access, correction, deletion, data portability, opt-out of sale/targeted advertising/profiling
  • Enforcement: Attorney General only (no private right of action)
  • Notable: No requirement for a global privacy control signal recognition

Colorado — CPA

Colorado's law is considered one of the stronger state frameworks:

  • Threshold: Control/process data of 100,000+ consumers OR derive revenue from selling data of 25,000+ consumers
  • Key Rights: Access, correction, deletion, portability, opt-out of sale/targeted advertising/profiling
  • Unique Features: Requires universal opt-out mechanism recognition, mandates data protection assessments
  • Enforcement: Attorney General and district attorneys

Connecticut — CTDPA

  • Threshold: Process data of 100,000+ consumers (excluding payment transactions) OR 25,000+ consumers with 25%+ revenue from data sale
  • Key Rights: Similar to Virginia and Colorado
  • Unique: Stronger protections for children (under 16), health data, and requires privacy policy accessibility standards

Texas — TDPSA

  • Threshold: No revenue or volume threshold — applies to any business processing Texas residents' data (except small businesses as defined by US SBA)
  • Key Rights: Access, correction, deletion, portability, opt-out of sale/targeted advertising
  • Notable: Broad scope due to the lack of revenue thresholds

Other States with Privacy Laws

By 2026, comprehensive privacy laws also exist in:

  • Florida (Digital Bill of Rights)
  • Oregon, Montana, Tennessee, Iowa, Indiana, Delaware
  • Utah (more business-friendly, weaker consumer protections)
  • New Jersey, New Hampshire, Kentucky, Nebraska, Maryland, Minnesota, Rhode Island

Quick Comparison: Major State Laws

Feature California Virginia Colorado Texas
Private Right of Action ✅ Limited
Sensitive Data Rules ✅ Strong ✅ Strong
Universal Opt-Out ✅ Required ✅ Required
Data Protection Assessments ✅ Required ✅ Required ✅ Required ✅ Required
Cure Period None (CPRA) 30 days 60 days 30 days

The Federal Privacy Law Outlook

The American Data Privacy and Protection Act (ADPPA) has been proposed in Congress multiple times but has yet to pass. If enacted, it would create a comprehensive federal standard that preempts (replaces) many state laws. Until then, businesses must navigate the state-by-state patchwork.

Practical Advice: If you handle consumer data in the US, aim for CCPA/CPRA compliance as your baseline. It's the strictest US law, and meeting its requirements will put you in good shape for other states. Or better yet, aim for GDPR compliance — it exceeds all US state laws.

Ready to Check a Privacy Policy?

Use our free AI-powered analyzer to see what's in any privacy policy.

Analyze a Policy Free