US State Privacy Laws: 2026 Guide

A comprehensive overview of state privacy laws enacted across the United States, from Virginia's VCDPA to Florida's FIPA and beyond.

20 min read Updated April 2026

State Privacy Law Overview

The United States has seen an explosion of state-level privacy legislation since 2018. While there is no comprehensive federal privacy law, states have taken the lead in protecting consumer data. As of 2026, over 20 states have enacted comprehensive privacy laws, with many more considering legislation.

These laws share many similarities but have significant variations in scope, thresholds, consumer rights, and enforcement mechanisms. Understanding these differences is essential for businesses operating across state lines.

States with Comprehensive Privacy Laws

  • Enacted: California (CCPA/CPRA), Virginia, Colorado, Connecticut, Utah, Iowa
  • 2023-2024: Texas, Florida, Tennessee, Montana, Texas, Oregon
  • 2025-2026: New Jersey, Minnesota, Kentucky, Maryland
  • Pending/Proposed: Many additional states

Common Elements of State Privacy Laws

While each state law is unique, most share common frameworks:

Consumer Rights

Most state laws grant consumers the right to:

  • Know: What personal data is collected and how it's used
  • Delete: Request deletion of personal data
  • Opt-Out: Stop the sale or sharing of their data
  • Correct: Request correction of inaccurate data
  • Portability: Receive their data in a portable format
  • Non-Discrimination: Not be discriminated against for exercising rights

Business Obligations

Covered businesses typically must:

  • Publish a privacy policy with required disclosures
  • Implement processes to handle consumer requests
  • Provide opt-out mechanisms (often including a "Do Not Sell" link)
  • Conduct data protection assessments for high-risk processing
  • Enter into contracts with service providers
  • Implement reasonable data security measures

Threshold Requirements

Most state laws apply only to businesses meeting certain thresholds:

  • Annual revenue thresholds (typically $25-40 million)
  • Number of consumers (typically 25,000-100,000)
  • Percentage of revenue from data sales

Virginia Consumer Data Protection Act (VCDPA)

Virginia was the second state (after California) to enact comprehensive privacy legislation. VCDPA took effect on January 1, 2023.

Applicability

VCDPA applies to persons that conduct business in Virginia or target Virginia residents and:

  • Control or process data of 100,000+ consumers, or
  • Control or process data of 25,000+ consumers and derive 50%+ revenue from data sales

Consumer Rights

  • Right to know and access
  • Right to delete
  • Right to correct
  • Right to opt-out of sale, targeted advertising, profiling
  • Right to data portability
  • Right to opt-out of "sensitive data" processing
  • Right to non-discrimination

Key Features

  • One of the first to include profiling protections
  • Requires "clear and affirmative" consent for sensitive data
  • Includes a 30-day cure period for violations (expires 2026)
  • Private right of action excluded (only Attorney General enforcement)

VCDPA at a Glance

  • Effective: January 1, 2023
  • Threshold: 100K consumers or 25K + 50% revenue from sales
  • Cure Period: 30 days (ending 2026)
  • Enforcement: Attorney General only
  • Penalties: Up to $7,500 per violation

Colorado Privacy Act (CPA)

Colorado's CPA took effect on July 1, 2023, with additional provisions taking effect in 2025. It includes unique requirements for universal opt-out mechanisms.

Applicability

CPA applies to controllers conducting business in Colorado or targeting Colorado residents and:

  • Process data of 100,000+ consumers, or
  • Process data of 25,000+ consumers and derive 25%+ revenue from data sales

Consumer Rights

  • Right to know and access
  • Right to delete
  • Right to correct
  • Right to opt-out of sale, targeted advertising, profiling
  • Right to data portability
  • Right to opt-out of automated decision-making
  • Right to opt-out of sensitive data processing

Unique Requirements

  • Universal Opt-Out: Must honor browser-based opt-out signals (Global Privacy Control)
  • Privacy Sandbox: Must work with emerging privacy technologies
  • Data Protection Assessment: Required for profiling and certain processing
  • Right to opt-out of "dark patterns"

CPA at a Glance

  • Effective: July 1, 2023
  • Threshold: 100K consumers or 25K + 25% revenue from sales
  • Special Feature: Universal opt-out mechanism requirement
  • Enforcement: Attorney General and District Attorneys
  • Penalties: Up to $20,000 per violation

Connecticut Data Privacy Act (CTDPA)

Connecticut's CTDPA took effect on July 1, 2023, blending elements from Virginia and Colorado with some unique additions.

Applicability

CTDPA applies to controllers conducting business in Connecticut or targeting Connecticut residents and:

  • Process data of 100,000+ consumers, or
  • Process data of 25,000+ consumers and derive 25%+ revenue from data sales

Consumer Rights

  • Right to confirm whether data is being processed
  • Right to access and portability
  • Right to delete
  • Right to correct
  • Right to opt-out of sale, targeted advertising, profiling
  • Right to opt-out of sensitive data processing

Key Features

  • Includes "de-identified" data provisions
  • Has a 60-day cure period (ending January 2025)
  • Similar to Virginia but with Colorado's revenue threshold
  • Requires data minimization principles

CTDPA at a Glance

  • Effective: July 1, 2023
  • Threshold: 100K consumers or 25K + 25% revenue from sales
  • Cure Period: 60 days
  • Enforcement: Attorney General
  • Penalties: Up to $5,000 per violation

Texas Data Privacy and Security Act (TDPSA)

Texas enacted TDPSA in 2023, which became effective on July 1, 2024. It was one of the largest states to adopt a comprehensive privacy law.

Applicability

TDPSA applies to for-profit entities conducting business in Texas or targeting Texas residents and:

  • Process data of 100,000+ consumers, or
  • Process data of 25,000+ consumers and derive 50%+ revenue from data sales

Consumer Rights

  • Right to access
  • Right to delete
  • Right to correct
  • Right to opt-out of sale, targeted advertising, profiling
  • Right to opt-out of sensitive data processing
  • Right to data portability
  • Right to non-discrimination

Key Features

  • No private right of action
  • Only Attorney General enforcement
  • Includes specific provisions for protected biometric data
  • Requires "reasonable" data security measures

TDPSA at a Glance

  • Effective: July 1, 2024
  • Threshold: 100K consumers or 25K + 50% revenue from sales
  • Enforcement: Attorney General only
  • Penalties: Up to $7,500 per violation
  • Population: ~30 million residents

Florida Information Privacy Act (FIPA)

Florida's FIPA took effect on July 1, 2024, making it one of the newer comprehensive state privacy laws.

Applicability

FIPA applies to controllers conducting business in Florida or targeting Florida residents and:

  • Process data of 100,000+ consumers, or
  • Process data of 50,000+ consumers and derive 50%+ revenue from data sales

Consumer Rights

  • Right to access
  • Right to delete
  • Right to correct
  • Right to opt-out of sale, targeted advertising, profiling
  • Right to data portability
  • Right to non-discrimination

Key Features

  • Does not include right to opt-out of sensitive data (different from others)
  • Private right of action excluded
  • Includes "consumer rights request" response requirements
  • Applies to controllers, not processors

FIPA at a Glance

  • Effective: July 1, 2024
  • Threshold: 100K consumers or 50K + 50% revenue from sales
  • Enforcement: Attorney General
  • Penalties: Up to $10,000 per violation
  • Population: ~22 million residents

California CCPA/CPRA

California remains the benchmark for state privacy laws. The California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA), represent the most comprehensive privacy legislation in the US.

For a complete guide to CCPA/CPRA, see our CCPA Guide.

Key Differences from Other States

Feature California Other States
Private Right of Action Yes (data breaches) Generally No
Threshold (Standard) $25M revenue or 100K consumers $25-40M or 100K consumers
Sensitive Data Explicit opt-out right Most include similar rights
Enforcement CPPA + AG + Private AG only (most states)

Other State Privacy Laws

Several other states have enacted comprehensive privacy laws:

Utah Consumer Privacy Act (UCPA)

  • Effective: December 31, 2023
  • Threshold: 100K consumers or 25K + 20% revenue from sales
  • Notable: Includes health data provisions

Iowa Consumer Data Protection Act (ICDPA)

  • Effective: January 1, 2025
  • Threshold: 100K consumers or 25K + 50% revenue from sales
  • Notable: One of the most business-friendly laws

Tennessee Information Privacy Act (TIPA)

  • Effective: July 1, 2025
  • Threshold: 100K consumers or 25K + 50% revenue from sales

Oregon Consumer Privacy Act (OCPA)

  • Effective: July 1, 2024
  • Threshold: 100K consumers or 25K + 25% revenue from sales
  • Notable: Includes local government applicability

Montana Consumer Data Privacy Act (MCDPA)

  • Effective: October 1, 2024
  • Threshold: 100K consumers or 25K + 50% revenue from sales

New Jersey Privacy Act (NJPA)

  • Effective: January 15, 2025
  • Threshold: 100K consumers or 25K + 20% revenue from sales
  • Notable: Includes private right of action for breaches

Minnesota Consumer Data Privacy Act (MCDPA)

  • Effective: July 31, 2025
  • Threshold: 100K consumers or 25K + 20% revenue from sales
  • Notable: One of the most comprehensive

Keep Monitoring

State privacy laws continue to evolve rapidly. New states are enacting laws annually, and existing laws are being amended. Stay current with your state's requirements.

Multi-State Compliance Strategy

For businesses operating in multiple states, here are key strategies:

Unified Compliance Approach

The most efficient approach is to build toward the strictest standard:

  • Follow California's requirements as baseline
  • Implement universal opt-out mechanisms (Colorado style)
  • Include sensitive data protections
  • Build flexible request handling systems

Key Actions

Privacy Program Essentials

  • Map data flows across all states
  • Update privacy policies for each state's requirements
  • Implement opt-out mechanisms on your website
  • Create processes for consumer requests
  • Conduct data protection assessments
  • Review vendor contracts for required provisions
  • Train employees on state-specific requirements
  • Monitor legislative changes in key states

Analyze Your Privacy Policy

Use PolicyLens to check if your privacy policy meets requirements for all relevant state privacy laws and identify compliance gaps.

Analyze Your Policy Free