19 US State Privacy Laws Are Now Active — A Compliance Map for 2026

TL;DR: Quick Takeaways

•As of January 1, 2026, 19 US states have active comprehensive privacy laws — Indiana, Kentucky, and Rhode Island are the newest additions.
•California remains the most aggressive enforcer with CPRA penalties reaching $7,988 per intentional violation and $2.75M settlements already recorded.
•All 19 active laws share a common core of consumer rights: access, deletion, correction, opt-out of sale, and data portability — a unified compliance program can address 80 percent of requirements across all states.
•The biggest compliance gaps for most companies are data mapping, DSR (Data Subject Request) processing infrastructure, and vendor contract updates.
•A federal privacy law remains stalled in Congress — state law compliance is the only viable path for businesses operating across multiple states.

The United States now has 19 active state-level privacy laws — a regulatory landscape that has transformed from a single California outlier to a genuine patchwork requiring systematic compliance management. January 1, 2026 brought three new laws into effect: Indiana's Consumer Data Protection Act, Kentucky's Consumer Data Protection Act, and Rhode Island's Data Transparency and Privacy Protection Act. Companies that have not built a scalable privacy compliance program are now running out of time to catch up.

The good news is that these 19 laws share more in common than they differ. They are broadly modeled on either the GDPR or the Virginia CDPA, and the common core — consumer rights, opt-out mechanisms, data processing agreements, and privacy notices — can be addressed with a unified program that covers 75 to 85 percent of each law's requirements. The remaining 15 to 25 percent consists of state-specific thresholds, category definitions, and enforcement mechanisms that require targeted attention.

This guide maps every active state law, compares the provisions that matter most for compliance operations, identifies where enforcement is concentrating, and gives you a practical framework for building a unified privacy program that scales as more states inevitably follow.

The 19 Active US State Privacy Laws: Complete Map

Here is the complete list of states with active comprehensive consumer privacy laws as of the date of this article, ordered by effective date.

State	Law Name	Effective Date	Revenue Threshold	Consumer Threshold
California	CPRA	Jan 1, 2023	$25M+	100K+ residents
Virginia	VCDPA	Jan 1, 2023	None	100K+ residents
Colorado	CPA	Jul 1, 2023	None	100K+ residents
Connecticut	CTDPA	Jul 1, 2023	None	100K+ residents
Utah	UCPA	Dec 31, 2023	$25M+	100K+ residents
Texas	TDPSA	Jul 1, 2024	None	Processes TX residents' data
Oregon	OCPA	Jul 1, 2024	None	100K+ residents
Montana	MCDPA	Oct 1, 2024	None	50K+ residents
Florida	FDBR	Jul 1, 2024	$1B+ (large orgs)	100K+ residents
Delaware	DPDPA	Jan 1, 2025	None	35K+ residents
Iowa	ICDPA	Jan 1, 2025	None	100K+ residents
Nebraska	NDPA	Jan 1, 2025	None	100K+ residents
New Hampshire	NHPA	Jan 1, 2025	None	35K+ residents
New Jersey	NJDPA	Jan 15, 2025	None	100K+ residents
Tennessee	TIPA	Jul 1, 2025	$25M+	175K+ residents
Minnesota	MNDPA	Jul 31, 2025	None	100K+ residents
Indiana	INCDPA	Jan 1, 2026	None	100K+ residents
Kentucky	KCDPA	Jan 1, 2026	None	100K+ residents
Rhode Island	RIDTPPA	Jan 1, 2026	None	35K+ residents

Where Enforcement Is Concentrating: California Leads

California's enforcement record under CPRA/CCPA provides the clearest picture of how state privacy enforcement actually operates in practice. The California Privacy Protection Agency has moved decisively from regulatory warnings to meaningful financial penalties, and the settlements reached in 2025 and 2026 signal the enforcement posture that other states are likely to follow as their own regulatory bodies mature.

California CPRA Enforcement Highlights

$2.75 million settlement with a major technology company for failure to honor opt-out of sale requests and inadequate privacy disclosures — the largest CPRA penalty recorded to date.
$7,988 per intentional violation — the maximum civil penalty for knowing or intentional CPRA violations, applied per individual violation rather than per incident.
$2,500 per unintentional violation — still significant for companies with large consumer bases, where a systematic process failure can generate thousands of individual violations.
No cure period for intentional violations — the CPPA can proceed directly to enforcement without giving companies an opportunity to remediate in cases of knowing non-compliance.

The enforcement focus has concentrated on three categories of violation: failures to honor consumer rights requests within the required 45-day window, inadequate privacy notices that do not accurately describe data processing activities, and dark patterns in consent interfaces that make it artificially difficult to exercise opt-out rights. All three are operational failures — they are not about the sophistication of security controls but about process maturity and organizational commitment to consumer rights.

Texas, while newer to enforcement, has signaled an aggressive posture under the TDPSA. The Texas Attorney General's office has indicated that enforcement will prioritize data brokers, health data processors, and companies with opt-out mechanisms that fail to function as disclosed. Oregon's Attorney General similarly announced a consumer privacy enforcement initiative in late 2025 targeting companies processing sensitive data without adequate consent mechanisms.

Key Provisions Comparison: What Actually Differs Between States

The structural similarity across these 19 laws is what makes a unified compliance program viable. The differences are real but manageable — and understanding exactly where they lie helps you scope your compliance effort correctly.

Consumer Rights: The Common Core

All 19 laws grant consumers substantially similar rights, though the specific scope and response timelines vary:

Consumer Right	States Granting	Standard Response Window
Right to Access	All 19	45 days (extendable 45)
Right to Deletion	All 19	45 days (extendable 45)
Right to Correction	17 of 19 (not Iowa, Utah)	45 days (extendable 45)
Right to Portability	All 19	45 days (extendable 45)
Opt-Out of Sale	All 19	15 days (CA) to 45 days
Opt-Out of Profiling	15 of 19	Varies
Sensitive Data Opt-In	All 19	Before processing

The Critical Differences That Require State-Specific Attention

Sensitive Data Categories

California's sensitive data categories include precise geolocation, racial or ethnic origin, religious beliefs, health data, financial data, genetic and biometric data, sexual orientation, and citizenship status. Texas and Oregon include similar categories but with slightly different definitions of what constitutes precise geolocation. Minnesota adds union membership as a sensitive category that most other states do not address.

Data Protection Assessments

Connecticut, Colorado, Virginia, Oregon, Montana, and Minnesota require Data Protection Assessments (similar to GDPR's Data Protection Impact Assessments) for high-risk processing activities. California, Texas, Indiana, Kentucky, and most others do not have a formal DPA requirement, though general accountability documentation is expected.

Private Right of Action

California is the only state with a private right of action for data breaches involving consumers' unencrypted personal information. All other states reserve enforcement exclusively to the Attorney General. This distinction matters significantly for litigation risk — California-facing companies have unique exposure to class action suits on top of regulatory penalties.

Cure Periods

Most states provide a cure period — typically 30 to 60 days — during which a company can remediate a violation before enforcement action is initiated. California has eliminated the cure period for intentional violations and is moving toward eliminating it entirely for repeat violations. Texas has no cure period at all.

Build a Unified Privacy Program That Scales Across All 19 States

LowerPlane's multi-framework compliance engine maps your data processing activities against CPRA, VCDPA, TDPSA, and all 16 other active state laws simultaneously — identifying conflicts and gaps in a single dashboard.

Book a Demo

Building a Unified Privacy Compliance Program

The most efficient approach to multi-state privacy compliance is not to treat each law as a separate compliance project. Instead, build a unified program calibrated to the most stringent requirements across all applicable laws, then add state-specific configurations as needed. California's CPRA, given its breadth and enforcement maturity, is the appropriate baseline for most companies operating at scale.

Step 1: Data Mapping and Inventory

You cannot comply with any privacy law if you do not know what personal data you collect, where it is stored, how it flows through your systems, and with whom it is shared. A comprehensive data map is the foundation of every other privacy compliance activity. For companies operating at scale, data mapping requires input from product, engineering, marketing, sales, and legal teams — it is a cross-functional exercise, not a legal department project.

The data map should capture: categories of personal data collected, sources of that data, processing purposes, storage locations and retention periods, downstream sharing relationships (third parties, service providers, data brokers), and whether sensitive data categories are involved. This documentation serves as the input for privacy notices, Data Protection Assessments, and consumer rights request processing.

Step 2: DSR Processing Infrastructure

Data Subject Request (DSR) processing is where most companies' privacy programs break down operationally. Receiving a request, verifying the requester's identity, locating all personal data across systems, executing the requested action (access, deletion, correction, portability), confirming completion, and documenting the outcome — all within a 45-day window — requires a structured workflow with clear system ownership.

Companies processing high volumes of consumer requests need automation. Manual DSR handling at scale is error-prone and expensive. LowerPlane's DSR management module automates intake, routes requests to system owners, tracks SLA compliance, and generates audit documentation — the same infrastructure that handles GDPR Subject Access Requests works for all 19 US state law DSRs, since the rights and timelines are substantially similar.

Step 3: Vendor and Data Processing Agreement Audits

All 19 state laws require that companies enter into Data Processing Agreements (or equivalent contractual arrangements) with service providers who process personal data on their behalf. Under CPRA, these are called service provider contracts. Under most other state laws, they are called processor agreements. The required provisions are similar: limitation on the service provider's use of the data to the specified purpose, obligations to assist with consumer rights requests, security requirements, and audit rights.

Many companies discover during vendor audits that 30 to 40 percent of their vendor relationships involving personal data do not have adequate contractual protections in place. Remediating this requires a systematic vendor inventory, contract review, and negotiation process — one that is substantially more manageable with a template library and workflow tooling.

Step 4: Consent and Opt-Out Mechanisms

The requirement to provide consumers with a conspicuous opt-out mechanism for the sale or sharing of their personal data is universal across all 19 laws. The Global Privacy Control (GPC) signal — a browser-level opt-out mechanism — must be honored by California companies and is recommended by several other states. Companies whose websites do not detect and honor GPC signals are creating per-visitor violation exposure with every California resident who visits.

What's Coming Next: Laws on the Horizon

The legislative momentum is not slowing. Several additional states have passed privacy laws with future effective dates, and multiple states are advancing legislation through their legislatures as of early 2026.

Laws with Future Effective Dates

Jan 1, 2026Maryland Age-Appropriate Design Code (MAADC) — additional requirements for platforms likely to be accessed by minors
Oct 1, 2026Maryland Online Data Privacy Act (MODPA) — comprehensive law with some of the strictest sensitive data protections in the country
Jan 1, 2027Multiple states with legislation advancing including Wisconsin, Georgia, and Oklahoma

Maryland's Online Data Privacy Act deserves particular attention from compliance teams. It includes some of the most consumer-protective provisions enacted by any US state: it prohibits the sale of sensitive personal data entirely (rather than merely requiring opt-out), mandates data minimization as a substantive requirement, and introduces a duty of loyalty concept that prohibits processing data in ways that harm consumers. Companies currently building compliance programs should monitor MODPA closely, as its October 2026 effective date is approaching rapidly.

Key Takeaways

1
As of January 1, 2026, 19 US states have active comprehensive privacy laws. Indiana, Kentucky, and Rhode Island are the newest entrants, and more are coming before year-end.
2
California remains the most aggressive enforcer with penalties up to $7,988 per intentional violation. Settlements reaching $2.75M demonstrate that enforcement is real, not theoretical.
3
A unified compliance program built on CPRA as the baseline will satisfy 75 to 85 percent of requirements across all 19 state laws, with targeted state-specific configurations covering the remainder.
4
The most common compliance failures are DSR processing delays, inadequate opt-out mechanisms, and missing data processing agreements with vendors — all operational issues, not technical ones.
5
Maryland's MODPA, effective October 2026, introduces some of the strictest provisions yet — including a prohibition on selling sensitive data entirely. Start preparing now.
6
A federal privacy law remains stalled in Congress. Building state-by-state compliance infrastructure is the only viable path for companies operating across multiple states today.

Frequently Asked Questions

If we are compliant with CPRA, are we compliant with all 19 state laws?

CPRA compliance covers the majority of requirements in other state laws, but not all of them. California's law does not require Data Protection Assessments for high-risk processing, which states like Colorado, Connecticut, and Virginia do require. Additionally, some states have specific sensitive data categories — like Minnesota's inclusion of union membership — that CPRA does not address. A CPRA-compliant program gets you approximately 80 percent of the way to compliance with other state laws; a targeted gap analysis covers the remainder.

Does my business need to comply with every state law where our consumers reside?

Yes, with some thresholds. Each state law applies based on whether you process personal data of residents of that state above certain thresholds — typically 100,000 residents annually or revenue above a set amount. If you have consumers in California, Virginia, Colorado, and Connecticut and meet those states' thresholds, all four laws apply to you simultaneously. Most national businesses processing consumer data at any meaningful scale will be subject to at least 8 to 12 of the 19 active laws.

What is the Global Privacy Control and are we required to honor it?

The Global Privacy Control is a browser signal that consumers can enable to automatically opt out of the sale and sharing of their personal data. Under California's CPRA, honoring the GPC is mandatory — failure to detect and process GPC signals constitutes a violation of the opt-out right. Colorado's CPA similarly requires GPC compliance. Several other states strongly recommend it. If your website receives traffic from California residents, you must implement GPC detection and integrate it with your consent management platform.

What counts as a "sale" of personal data under these laws?

The definition of "sale" varies by state. California defines it broadly as exchanging personal data for monetary or other valuable consideration — including ad targeting arrangements where personal data is shared with advertisers in exchange for revenue. Virginia and most other states define sale more narrowly as an exchange for monetary consideration only. This distinction matters because behavioral advertising arrangements that qualify as a sale under CPRA may not qualify under VCDPA, affecting which opt-out mechanisms you need to provide.

How long do we have to respond to consumer rights requests?

The standard response window under all 19 active state laws is 45 days from receipt of a verifiable consumer request. Most states allow a single 45-day extension if the controller notifies the consumer of the delay and the reason for it. California requires opt-out requests to be honored within 15 business days. The clock starts when you have received a verifiable request — meaning you have confirmed the requester's identity. The identity verification process itself does not consume response window time, but verification procedures must be proportionate and cannot be used as a way to delay or discourage requests.

Can LowerPlane help manage DSR workflows across multiple state laws?

Yes. LowerPlane's DSR management module handles intake, identity verification routing, SLA tracking, and documentation for consumer rights requests across all applicable US state laws and GDPR simultaneously. The platform routes requests to the appropriate system owners, tracks the 45-day response clock per state-specific requirements, and generates audit records for every completed request. Since the core rights and timelines are substantially similar across all 19 laws, the same workflow infrastructure handles multi-state DSR processing without requiring separate processes for each jurisdiction.

Get Compliance Insights Weekly

Join 5,000+ compliance professionals receiving actionable insights every week.

No spam. Unsubscribe anytime.