Back to Blog
data privacycomplianceCCPAstate lawscybersecurity

State Data Privacy Laws 2026: Who is Next After California?

March 26, 2026
12 min read

The State Privacy Law Explosion

When California passed the California Consumer Privacy Act (CCPA) in 2018, it was a landmark moment. For the first time, an American state gave consumers sweeping rights over their personal data. Many predicted that a federal privacy law would follow quickly, rendering state laws unnecessary.

That federal law never materialized. Instead, state after state has passed its own comprehensive privacy legislation, creating a patchwork of requirements that businesses must navigate. As of 2026, more than 15 states have enacted comprehensive data privacy laws, with more on the way.

If your business collects personal information from consumers (and nearly every business does), you need to understand this landscape. Even if your business is small, you may be surprised to learn which laws apply to you.

The Current State Privacy Law Landscape

Tier 1: Comprehensive Privacy Laws (Active and Enforced)

These states have fully enacted comprehensive data privacy laws with active enforcement:

California (CCPA/CPRA)

  • Effective: January 2020 (CCPA), January 2023 (CPRA amendments)
  • Applies to businesses that: Have annual gross revenue over $25 million, OR buy/sell/share personal information of 100,000+ consumers, OR derive 50%+ of revenue from selling/sharing personal information
  • Key features: Right to know, right to delete, right to opt out of sale/sharing, right to correct, right to limit use of sensitive personal information
  • Enforcement: California Privacy Protection Agency (CPPA) plus the Attorney General
  • Penalties: Up to $2,500 per violation, $7,500 per intentional violation
  • Private right of action: Limited to data breach claims

Virginia (VCDPA)

  • Effective: January 2023
  • Applies to businesses that: Conduct business in Virginia or target Virginia residents AND control/process data of 100,000+ consumers, OR 25,000+ consumers while deriving 50%+ of revenue from data sales
  • Key features: Right to access, correct, delete, obtain a copy, and opt out of targeted advertising, sale of data, and profiling
  • Enforcement: Attorney General only (no private right of action)

Colorado (CPA)

  • Effective: July 2023
  • Key distinction: Universal opt-out mechanism requirement. Businesses must honor browser-based opt-out signals (like Global Privacy Control).

Connecticut (CTDPA)

  • Effective: July 2023
  • Notable: Similar to Virginia's law but with some broader consumer protections

Utah (UCPA)

  • Effective: December 2023
  • Notable: Higher threshold (revenue of $25 million+) and more business-friendly than other state laws

Iowa, Indiana, Tennessee, Montana, Oregon, Texas, Delaware, New Hampshire, New Jersey, Nebraska, Maryland, Minnesota, Kentucky, Rhode Island

  • Various effective dates through 2025 and 2026
  • Each follows the general pattern of consumer rights and business obligations but with unique thresholds, definitions, and requirements

Tier 2: Laws Enacted, Coming Into Effect

Several states have passed privacy laws that take effect in 2026 or later. Monitor effective dates and begin compliance preparation early.

Tier 3: Legislation in Progress

Multiple additional states have active privacy bills in their legislatures. The trend is clear: comprehensive state privacy laws will eventually cover the majority of the U.S. population.

Common Elements Across State Privacy Laws

While every state law is different, most share these core elements:

Consumer Rights

Nearly all comprehensive state privacy laws grant consumers these rights:

  • Right to know/access: What personal data a business has collected about them
  • Right to delete: Request deletion of their personal data
  • Right to correct: Fix inaccurate personal data
  • Right to data portability: Obtain a copy of their data in a usable format
  • Right to opt out of: Sale of personal data, targeted advertising, and certain profiling activities

Business Obligations

Businesses subject to these laws must:

  • Provide a privacy notice disclosing data collection practices, purposes, consumer rights, and how to exercise them
  • Implement reasonable data security measures appropriate to the volume and sensitivity of data
  • Conduct data protection assessments for high-risk processing activities (targeted advertising, sale of data, sensitive data processing)
  • Honor consumer requests within specified timeframes (typically 45 days, with extensions available)
  • Maintain contracts with data processors (third parties processing data on your behalf) that include specific privacy protections
  • Obtain consent before processing sensitive data (health data, biometric data, precise geolocation, data from children)

Applicability Thresholds

This is where laws diverge significantly. Common thresholds include:

  • Revenue thresholds: Some laws apply only to businesses above certain revenue levels (California: $25 million; Utah: $25 million)
  • Data volume thresholds: Processing data of a minimum number of consumers (commonly 100,000 or 25,000 with revenue from data)
  • Geographic scope: Most apply to businesses that operate in the state or target residents of the state
  • Exemptions: Most states exempt certain data types (data already covered by HIPAA, GLBA, FERPA) and certain entity types (non-profits, higher education institutions in some states)

Key Differences That Trip Up Businesses

Opt-In vs. Opt-Out for Sensitive Data

  • Most states: Require opt-in consent before processing sensitive personal data
  • Utah: Uses an opt-out model for sensitive data (more business-friendly)

Universal Opt-Out Mechanisms

  • Colorado, Connecticut, Montana, Texas, Delaware, Oregon, Minnesota, Maryland, Nebraska: Require businesses to honor universal opt-out signals (like Global Privacy Control)
  • Other states: Do not yet require this but may add it through rulemaking

Private Right of Action

  • California: Limited private right of action for data breaches involving unencrypted or unredacted personal information
  • Most other states: No private right of action; enforcement is exclusively through the Attorney General

This is a critical distinction. California's private right of action has generated significant class action litigation, while enforcement in other states has been more measured.

Cure Periods

  • Some states: Grant businesses a period (often 30-60 days) to cure violations before facing penalties
  • California: No cure period under CPRA
  • Trend: Cure periods are being reduced or eliminated in newer laws

Building a Multi-State Compliance Program

Step 1: Data Mapping

Before you can comply with any privacy law, you need to understand what data you have:

  • What personal data do you collect? (names, emails, browsing behavior, purchase history, location data, device identifiers)
  • Where does it come from? (directly from consumers, third-party data providers, tracking technologies)
  • Why do you collect it? (provide services, marketing, analytics, sell to third parties)
  • Where does it go? (internal systems, cloud providers, marketing platforms, data brokers, affiliates)
  • How long do you keep it? (retention policies by data category)

Step 2: Determine Which Laws Apply

Based on your data mapping, determine:

  • Where are your customers/users located? If you have customers in California, Virginia, Colorado, etc., those state laws may apply.
  • Do you meet the thresholds? Check each state's applicability criteria against your data volumes and revenue.
  • Are you exempt? Review exemptions for your entity type and data categories.

Step 3: Implement a Baseline Privacy Program

Rather than building separate programs for each state, implement a single program that meets the highest common standard:

Privacy Notice:

Create a comprehensive privacy notice that addresses all applicable state requirements. Include:

  • Categories of personal data collected
  • Purposes for collection and processing
  • Categories of third parties with whom data is shared
  • Consumer rights and how to exercise them
  • Contact information for privacy inquiries

Consumer Rights Request Process:

Build a system to receive, verify, and fulfill consumer rights requests. Most laws require:

  • At least two methods for submitting requests (web form, email, toll-free number)
  • Identity verification procedures
  • Response within 45 days (with extensions if needed)
  • Documentation of requests and responses

Vendor Management:

Review and update contracts with all service providers who process personal data on your behalf. Contracts should include:

  • Processing limitations (only process data as instructed)
  • Confidentiality obligations
  • Data security requirements
  • Breach notification procedures
  • Audit rights

Data Security:

Implement reasonable security measures. While privacy laws do not typically specify exact technical requirements, refer to frameworks like NIST CSF for guidance. See our cybersecurity compliance guide for practical implementation steps.

Step 4: Monitor and Adapt

The privacy landscape is changing rapidly:

  • Track new laws being enacted in states where you do business
  • Monitor enforcement actions for guidance on how regulators interpret requirements
  • Review and update your privacy program at least annually
  • Train your team on privacy obligations and how to handle consumer requests

Small Business Considerations

Do These Laws Even Apply to My Small Business?

Many small businesses fall below the applicability thresholds of most state privacy laws. However:

  • California's CCPA applies to businesses with $25 million+ in revenue or that process data of 100,000+ consumers. Many small businesses with e-commerce operations or digital marketing reach the 100,000 consumer threshold.
  • States without revenue thresholds (like Virginia, Colorado, Connecticut) apply based solely on data processing volume. If your website or app has significant traffic from these states, you may be covered.
  • Even if not directly subject to comprehensive laws, all states have data breach notification laws and general consumer protection laws that apply to businesses of all sizes.

Cost-Effective Compliance

Small businesses can build a compliant privacy program without massive expense:

  • Use template privacy policies as a starting point (but have legal counsel review)
  • Implement free universal opt-out mechanisms (honor Global Privacy Control signals in your analytics and marketing tools)
  • Use existing tools for consumer rights requests (even a dedicated email address and spreadsheet works for low volumes)
  • Focus on data minimization (collect only what you truly need; less data means less compliance burden)

What is Coming Next

Federal Privacy Legislation

Comprehensive federal privacy legislation has been debated for years. The American Privacy Rights Act (APRA) gained significant momentum but has not yet passed. If federal legislation is enacted, it may preempt some or all state laws, simplifying compliance. But do not wait for a federal solution; plan based on current state requirements.

AI and Privacy Convergence

Several states are proposing laws that combine AI regulation with data privacy requirements. Processing personal data through AI systems may trigger additional obligations around transparency, fairness, and human oversight. Watch Colorado and Connecticut for early developments.

Children's Privacy

Enhanced protections for minors' data are expanding rapidly. California's Age-Appropriate Design Code Act and similar bills in other states impose additional requirements for businesses whose services are likely to be accessed by children.

Navigate the Privacy Patchwork

State data privacy compliance does not have to be overwhelming. Start with a solid baseline, understand which laws apply to your business, and build from there.

[Take the free SMBRegs compliance quiz](/wizard) to identify which state privacy laws apply to your business based on where your customers are located, what data you collect, and your industry. We will give you a clear, actionable compliance checklist.

Protect your customers' data and your business reputation. [Get your personalized compliance roadmap now](/wizard).

Previous
Food Truck Compliance: Permits, Licenses, and Regulations in Every State
Next
Registered Agents Explained: Do You Need One and How to Choose

Ready to Simplify Your Compliance?

Get a personalized compliance checklist for your business in minutes. Free, fast, and meant to be verified before you file or rely on it.

Start Free AssessmentRead More Articles
SMBRegs

Small business compliance made simpler. Know what to review, track your progress, and verify what matters.

Disclaimer: SMBRegs provides informational content about business regulations and compliance requirements. This information does not constitute legal, tax, or professional advice. Regulations change frequently; always verify requirements directly with the relevant government agency.

© 2026 Spoon Seller LLC. All rights reserved.

Made with care for small businesses everywhere.