US State Privacy Law Comparison: What Your Business Needs to Know in 2026

All 20 State Privacy Laws: At-a-Glance Comparison

The table below covers every US state with a comprehensive consumer data privacy law active or taking effect in 2026. Laws are listed in chronological order of their effective date. "Controller threshold" is the minimum scope criterion — if your business meets any one of the criteria listed, the law applies to you.

Note on red-labeled laws: TDPSA (Texas) and NDPA (Nebraska) have the broadest applicability — no revenue or consumer-volume threshold for non-small businesses. If you have any users in Texas or Nebraska, you almost certainly need to comply.

The Big 5: Deep Dives

Five laws dominate the compliance landscape for US businesses. They were the first to take effect, they cover the most populous states, and they've set the template that most subsequent laws follow. If you're compliant with the Big 5, you're in reasonable shape for most others.

California: CCPA / CPRA — The Benchmark

CCPA/CPRA is the most comprehensive and most enforced state privacy law. The CPPA is an aggressive, well-funded regulator — it's already begun formal enforcement and has made clear it will pursue companies regardless of size. California's 39 million residents mean nearly any consumer-facing business meets the 100,000-consumer threshold within 12–18 months. The right to limit use of sensitive personal information — covering precise geolocation, biometric data, health data, and several other categories — has no equivalent in most other state laws. Full CCPA/CPRA compliance guide →

Virginia: VCDPA — The AG-Only Model

VCDPA established the template most subsequent states have followed: AG-only enforcement, no private right of action, cure period, and a data protection assessment requirement for high-risk processing activities. The key practical difference from CCPA is the absence of a dedicated privacy agency — enforcement depends on AG priority and resources. The cure period sunset in July 2026 is a significant calendar item: companies that have been relying on the cure window to avoid formal penalties lose that buffer mid-year. Full VCDPA compliance guide →

Colorado: CPA — The Highest Per-Violation Penalty

Colorado's $20,000 per-violation cap is the highest of any US state privacy law — more than twice the CCPA cap and nearly three times Connecticut's. With the cure period now expired, there is no grace period for non-compliance. Colorado also mandates technical support for the Global Privacy Control (GPC) browser signal as a valid opt-out mechanism, which requires a technical implementation on your website, not just a policy update. Full CPA compliance guide →

Connecticut: CTDPA — The Mid-Threshold Law

CTDPA has the lowest penalty cap of the Big 5 at $5,000 per violation, but its scope triggers are broader than VCDPA and CPA because the revenue-from-selling threshold is 25% rather than 50%. Companies that monetize data even partially are more likely to fall within CTDPA's scope. Connecticut was among the first states to participate in a joint enforcement cooperation agreement, making it likely to pursue multi-state actions alongside California and Colorado. Full CTDPA compliance guide →

Texas: TDPSA — The Broadest Net

TDPSA is the law that made 2024 the year privacy compliance stopped being optional for mid-market businesses. With no revenue or consumer-volume threshold — any company doing business in or targeting Texas residents is in scope, excluding only small businesses — the theoretical coverage is enormous. Texas has 30 million residents and an exceptionally aggressive AG that backed up the rhetoric with a $1.37 billion settlement against Google. If you run third-party pixels, analytics, or advertising tools on your website, TDPSA compliance is not optional. Full TDPSA compliance guide →

2024–2026 Emerging States: What Changed and What's Different

The 15 laws that took effect after the Big 5 follow broadly similar templates, but with key variations. Here are the most important differences to know:

Nebraska (NDPA) — The Second Broad-Net Law

Like Texas, Nebraska's law has no revenue or consumer-volume threshold for non-small businesses. Any company processing Nebraska resident data is in scope. Nebraska's AG is less well-resourced than Texas's, but the legal exposure is identical in structure. Companies that already expanded their compliance programs for TDPSA should apply the same framework to NDPA.

Maryland (MODPA) — The Strictest New Law

Maryland's Online Data Privacy Act has the strongest data minimization requirement of any US state law: companies must apply a data minimization standard by default, not merely as a response to consumer requests. This means you cannot collect personal data speculatively — every data point must have a disclosed, legitimate purpose. Maryland also lowers the scope threshold to 35,000 consumers, making it one of the most broadly applicable laws outside of Texas and Nebraska.

Oregon (OCPA) — Highest Per-Violation Penalty Outside Colorado

Oregon's Consumer Privacy Act carries a $25,000 maximum penalty per violation — second only to Colorado's $20,000 (Oregon's limit is higher). Oregon also has a 25% revenue-from-selling threshold (same as Connecticut) rather than 50%, making its scope slightly broader than VCDPA and CPA.

Florida (FDBR) — Limited Scope, High Stakes

Florida's Digital Bill of Rights applies only to companies with $1 billion or more in annual revenue — which means it covers a very small number of companies but with extremely high stakes: up to $500,000 per willful violation. Most businesses can disregard FDBR entirely, but companies at that revenue scale face some of the highest potential penalties in the US.

Tennessee (TIPA) — The Highest Volume Threshold

Tennessee's law has a 175,000-consumer threshold — the highest of any state law — which means smaller businesses are less likely to be in scope. The tradeoff is treble damages for willful violations (like TDPSA), giving Tennessee's AG significant leverage in enforcement actions against larger operators.

Consumer Rights: Who Gets What Under Each Law

All 20 state privacy laws grant consumers some version of the same core rights, but there are meaningful differences in which rights are included, what exceptions apply, and how businesses must respond. The table below focuses on the Big 5 plus Utah (which is notably weaker than the rest).

The two standout weaknesses in Utah's law — no right to correct and no right to opt out of profiling — reflect a deliberate business-friendly design choice. Utah also requires opt-out (not opt-in) consent for sensitive data, making it significantly easier to process sensitive categories than under all four other Big 5 laws. If Utah is the only state privacy law that applies to your business, you're in the most favorable compliance environment of any US state.

Enforcement Mechanisms: Who Can Come After You

Understanding enforcement is critical because it determines your actual legal exposure, not just theoretical liability. Every US state privacy law uses one of two enforcement models:

AG-Only Enforcement (18 of 20 laws)

The vast majority of state privacy laws vest exclusive enforcement authority in the state Attorney General, with no private right of action for consumers. This is meaningfully different from GDPR, where individual data subjects can sue. In practice, AG-only enforcement means:

• Investigations are initiated by the AG, not individual consumers (though complaints may trigger investigations)
• AG offices have limited resources and must prioritize — large companies and egregious violations come first
• Cure periods (where they exist) give companies a window to remediate before formal penalties
• Multi-state coordinated actions are becoming more common, multiplying exposure

CPPA + AG (California Only)

California is unique. The CPPA is a dedicated privacy regulator with its own enforcement authority, independent of the AG. This means California has significantly more enforcement bandwidth than other states — it doesn't have to compete with criminal prosecutions, antitrust investigations, and consumer fraud cases for attorney resources. The CPPA also has rulemaking authority and has been actively promulgating new rules on automated decision-making, risk assessments, and cybersecurity audits.

The Multi-State Threat

California, Connecticut, Colorado, and Oregon signed a joint enforcement cooperation agreement in late 2025. The practical effect: a single violation that touches users in all four states could trigger coordinated investigations by four separate AG offices, with stacked penalties. A $7,500-per-violation exposure in California becomes $7,500 + $5,000 + $20,000 + $25,000 per-violation across all four states simultaneously. This is the enforcement scenario compliance officers should be preparing for in 2026.

Which Laws Apply to Your Business?

Rather than reading all 20 laws, use this practical framework based on your business profile:

The 2026 Multi-State Privacy Compliance Checklist

If you're starting from scratch or auditing an existing program, these are the eight technical and operational requirements that appear across virtually every US state privacy law. Getting these right covers the majority of your multi-state exposure.

1. Privacy policy: accurate and current

Every state law requires a privacy policy disclosing what personal data you collect, why you collect it, who you share it with, and how consumers can exercise their rights. The policy must be accurate — not boilerplate. Regulators have specifically called out policies that list rights the company doesn't actually honor, or that fail to disclose third-party data sharing (pixels, analytics, advertising networks). Update your policy whenever your data practices change.

2. Opt-out mechanism for sale and targeted advertising

All 20 laws require you to give consumers a way to opt out of the sale of their personal data and the use of their data for targeted advertising. In practice, this means a "Do Not Sell or Share My Personal Information" link (California-specific language) or equivalent, plus a functioning mechanism to honor it technically — not just a form that collects requests you ignore.

3. Global Privacy Control (GPC) recognition

California, Colorado, Connecticut, and several other states require you to honor the Global Privacy Control browser signal as a valid opt-out. This is a technical implementation requirement: your server or tag manager must detect the GPC signal and suppress data collection or sharing accordingly. A policy statement saying you honor GPC is not sufficient.

4. Consent infrastructure for sensitive data

Fourteen of the 20 state laws require opt-in consent (not just opt-out) before processing sensitive personal information — which typically includes precise geolocation, biometric data, health data, race/ethnicity, sexual orientation, immigration status, and financial account data. If you collect any of these categories, you need a consent mechanism, not just a disclosure.

5. Data subject request (DSR) workflow

You must have a functioning process to receive, verify, and respond to consumer requests to access, delete, correct, and port their personal data. Response deadlines are typically 45–90 days. Automated verification (to confirm the requestor is who they claim) is required — but over-verification that makes requests practically impossible is itself a violation.

6. Data processing agreements (DPAs) with vendors

Every law requires controllers to have signed data processing agreements with processors (vendors who handle personal data on your behalf). This includes your cloud infrastructure, analytics vendors, CRM, support tools, marketing automation, and advertising platforms. Vendors that have not signed a DPA represent uncontracted data exposure.

7. Data protection assessments (DPAs) for high-risk activities

Virginia, Colorado, Connecticut, Texas, and several other states require documented Data Protection Assessments for high-risk processing activities — including targeted advertising, profiling, processing sensitive data, and selling personal data. These are internal risk analysis documents, not public disclosures, but they must exist and be producible in an investigation.

8. Technical audit of your website's actual data flows

Policy compliance is necessary but not sufficient. Regulators are looking at what your website actually does — which cookies it sets, which third-party scripts it loads, which data those scripts collect and where it goes. Every major enforcement action in 2024–2026 started with a technical investigation of a public website. Running a regular technical audit is the most direct way to identify and close the gaps that regulators will find first.

The Bottom Line: Build Once, Comply with Many

The good news about 20 state privacy laws is that they share roughly 80% of their requirements. A compliance program built to the CCPA/CPRA standard — with a current privacy policy, functioning opt-out mechanisms, GPC recognition, opt-in consent for sensitive data, a DSR workflow, signed DPAs with vendors, and documented data protection assessments — satisfies the majority of requirements under most other state laws.

The remaining 20% is where the details matter: Colorado's $20,000 penalty cap, Oregon's 25% revenue-from-selling threshold, Maryland's default data minimization requirement, Texas's no-threshold applicability, and the sunset dates for various cure periods. These differences require you to know which laws specifically apply to your business and where you have gaps.

The companies that are getting ahead of this are treating compliance as a technical discipline, not just a legal one. Opt-out mechanisms, GPC signals, and data flows are software problems. The faster you instrument your website to be auditable — so you can see what data it collects and where it goes — the faster you can close the gaps that regulators will find.

Related Resources