verified_user
Standardful
Data Privacy

US State Privacy Laws in 2026: The Patchwork You Actually Have to Comply With

The US still has no federal privacy law, but 20+ states do. Here's what CCPA, Virginia, Colorado, Texas, and the other major state laws actually require — and where they differ.

calendar_today April 24, 2026schedule 12 min readperson Standardful Team

Every year or two, someone declares that a US federal privacy law is "close." Every year or two, it isn't. In the meantime, states have stopped waiting. As of early 2026, 20+ states have enacted comprehensive consumer privacy laws, with another handful in active legislation.

For any company with US customers, this has turned into a compliance headache that's roughly as complex as GDPR — just more fragmented. You don't get to pick one law and be done. You get to figure out which laws apply, where they overlap, where they differ, and how to build a privacy program that actually covers all of them without going bankrupt on vendor fees.

Here's the honest state of play in 2026.

The Anchor: CCPA/CPRA in California

California was first out of the gate. The California Consumer Privacy Act (CCPA) took effect in January 2020. The California Privacy Rights Act (CPRA) amended and expanded it, with most provisions effective January 2023. Together, they're usually referred to as "CCPA" or "CCPA/CPRA."

California's law is the strictest state privacy law in the US, and it's the one most other states have modeled themselves after (more or less loosely).

Core rights for California residents:

  • Right to know what personal information is collected
  • Right to delete personal information
  • Right to correct inaccurate information
  • Right to opt out of the sale or sharing of personal information
  • Right to limit use of sensitive personal information
  • Right to non-discrimination for exercising privacy rights

Business obligations include privacy notices, data minimization, purpose limitation, reasonable security, contracts with service providers and contractors, and responding to consumer requests within 45 days.

The CPRA created the California Privacy Protection Agency (CPPA), which is now the first dedicated privacy regulator in the US. They issue regulations, investigate complaints, and impose fines. The CPPA has become increasingly active — multiple enforcement actions in 2024 and 2025 against companies for failing to honor opt-out requests and for inadequate privacy notices. For broader context on how US state laws compare to GDPR's global reach, California sits somewhere in between — less prescriptive than GDPR, but backed by a real regulator.

Fines: up to $2,500 per violation, $7,500 per intentional violation or violation involving a child's data. Violations multiply — one data issue across 10,000 consumers is 10,000 violations.

Virginia: The Model for Most Other States

Virginia's Consumer Data Protection Act (VCDPA) took effect January 1, 2023. It was the second comprehensive state privacy law and became the template for about a dozen others — Connecticut, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and more have followed Virginia's structure with local tweaks.

What's similar to California:

  • Access, deletion, correction, and portability rights
  • Right to opt out of targeted advertising and the sale of personal data
  • Required privacy notices
  • Data protection assessments for high-risk processing

What's different from California:

  • Applies to businesses processing personal data of 100,000+ Virginia residents (or 25,000+ if revenue from selling personal data exceeds 50%)
  • Narrower definition of "sale" — only monetary consideration, not other valuable consideration
  • Exempts employee and B2B data (at least in the current version)
  • No private right of action — only state AG enforcement
  • Requires a 30-day cure period before enforcement (though this is being phased out in some states)

Virginia's law is more business-friendly than California's, and that's by design. Virginia lawmakers explicitly said they wanted something less prescriptive. The trade-off: weaker consumer rights, less aggressive enforcement.

Colorado: The Middle Ground

The Colorado Privacy Act (CPA) took effect July 1, 2023. It's structurally similar to Virginia but with more muscle.

Key differences:

  • Universal opt-out mechanism (UOOM) is required — Colorado was the first state to mandate honoring opt-out signals like the Global Privacy Control (GPC). This is big. If you're not honoring GPC signals, you're already out of compliance.
  • Expanded definition of "sensitive data" that includes biometric data, genetic data, and children's data with stricter consent rules
  • Detailed rules around profiling and automated decision-making
  • Active enforcement by the Colorado Attorney General, which has published detailed rules and FAQs

Colorado's AG has been surprisingly active — several settlement agreements with companies in 2024 and 2025 over opt-out handling and privacy notices.

Texas: Big Market, Different Rules

The Texas Data Privacy and Security Act (TDPSA) took effect July 1, 2024. Texas is big — about 30 million people — so this one matters for a lot of companies.

Texas is modeled on Virginia but with one important quirk: it applies to businesses that conduct business in Texas or produce products/services consumed by Texas residents, without the 100,000-resident threshold that most other states use. If you have any meaningful Texas business, you're probably in scope.

Rights and obligations are similar to Virginia. Enforcement is by the Texas AG, with penalties up to $7,500 per violation plus reasonable attorneys' fees.

What's New in 2025-2026

Several states have joined the club recently:

Oregon (July 2024) — similar to Virginia but with universal opt-out mechanism and a requirement to list the specific third parties that receive personal data on request.

Delaware (January 2025) — Virginia-style law with lower thresholds, applying to smaller businesses.

Iowa, Tennessee, New Jersey, New Hampshire (various dates through 2025) — all Virginia-derivative.

Maryland Online Data Privacy Act (October 2025) — notably stricter than Virginia-style laws. Data minimization requirements are prescriptive (you can only collect what's "reasonably necessary"), and the sale of sensitive data is prohibited outright rather than just requiring opt-out.

Minnesota Consumer Data Privacy Act (July 2025) — adds specific rights around profiling and automated decisions.

Washington My Health My Data Act (2024) — not a comprehensive law but a sector-specific privacy law with teeth. It covers "consumer health data" broadly — anything indicating a consumer's past, present, or future health status, including data from wellness apps and wearables. Includes a private right of action, which is rare.

The current approach in most state legislatures is to pass some form of privacy law rather than get left behind. Expect this list to keep growing.

Where They All Differ (and How to Think About It)

You can broadly cluster the state laws into three tiers:

Strict tier: California, Colorado, Maryland, Washington (health data). These have active regulators, detailed rules, universal opt-out mechanisms, and strong consumer rights. If you comply with California and Colorado, you'll largely cover the strict tier.

Standard tier: Virginia, Texas, Connecticut, Oregon, most others. Virginia-style laws. Opt-out rights, privacy notices, DPAs for high-risk processing, no private right of action. Complying with California generally covers these automatically.

Emerging tier: New state laws still bedding in. Most are Virginia-derivatives. Watch for unique twists — Maryland's minimization, Oregon's third-party transparency, Washington's private right of action on health data.

A few common threads across all of them:

  • Age 13-16 "sensitive" data. Most states require opt-in consent for minors (the exact age cutoff varies — 13, 16, or 18). This is on top of COPPA obligations for children under 13.
  • Processing contracts. You need written agreements with service providers/processors. California, Virginia, Colorado, and others all require specific contractual clauses.
  • Data Protection Assessments. Required for high-risk processing in most states. One well-designed assessment template can usually satisfy multiple state requirements.
  • Consumer request handling. Build one process that can identify the state residence of requesters and apply the right rules. Don't build 20 separate workflows.

Practical Compliance in 2026

The good news: you don't need to build 20 different privacy programs. The bad news: you do need to build one that's genuinely flexible.

Here's the pragmatic playbook:

1. Start with California as your baseline. It's the strictest law, and complying with it puts you 80% of the way to most other states. You'll need to add a few items (Colorado's UOOM, Oregon's third-party disclosure, Maryland's minimization) but the foundation is there.

2. Honor universal opt-out signals. Global Privacy Control (GPC) is required by California, Colorado, and a growing list of others. Your site needs to detect and respect it. If you're using a consent management platform, make sure this is turned on.

3. Build a unified consumer request workflow. One intake form, verify identity, determine state residence, apply the right timelines and scope. Most privacy compliance platforms handle this out of the box.

4. Audit your data map. You can't comply with minimization, deletion, or any of these laws if you don't know what data you have and where. This is boring foundational work. Do it anyway.

5. Map to GDPR if you already have that program. If you're already compliant with GDPR, you're mostly compliant with the strict US state laws. The gaps are around specific opt-out signals, state-specific notice requirements, and sensitive data definitions. Don't rebuild the whole program.

6. Update contracts with service providers. Nearly every state privacy law requires specific clauses in contracts with vendors that process personal data. If your DPA templates haven't been refreshed since 2023, they need work.

7. Get your privacy notice right. Most enforcement actions so far have been about failure to post adequate notices, failure to offer the right opt-outs, and failure to respect those opt-outs. These are solvable problems.

Does a Federal Law Finally Happen in 2026?

Probably not, but the pressure is real. The American Privacy Rights Act (APRA) got further along in Congress than anything prior, but didn't pass. Various drafts are circulating. Industry groups want federal preemption (to end the patchwork), privacy advocates want strong rights (and no preemption). They don't agree.

Until federal law passes, the patchwork is the system. Treat it that way — build for the reality that you'll have to comply with multiple overlapping state laws, probably for years. For SaaS companies expanding globally, this means the US privacy stack has become genuinely comparable in complexity to the EU one.

References

  1. California Consumer Privacy Act (CCPA) — California Attorney General
  2. Colorado Privacy Act — Colorado Attorney General
  3. Virginia Consumer Data Protection Act — Virginia Code
  4. Texas Data Privacy and Security Act — Texas Attorney General
  5. IAPP US State Privacy Legislation Tracker — International Association of Privacy Professionals

Related Topics

US privacy lawsCCPACPRAVCDPAColorado Privacy Actstate privacydata protectionconsumer rightscompliance

Related Standards

verified

CCPA/CPRA

California Consumer Privacy Law

verified

GDPR

EU General Data Protection Regulation

verified

COPPA

Children's Online Privacy Protection Act

verified

PIPEDA

Canadian Federal Privacy Law

arrow_back Back to Blog