The United States still has no federal comprehensive privacy law. What it has instead is a fast-growing patchwork: more than 20 states now enforce their own consumer data privacy statutes, each with different thresholds, rights, and enforcement mechanisms. Six more laws took effect in the first half of 2026 alone. For any website or app that collects data from US visitors, tracking which rules apply and how they interact has become a genuine operational problem.
This guide is the reference. It covers every active US state comprehensive privacy law, the key dates, what each requires, and where they diverge. If you run a website that serves US traffic, bookmark this page — it's the single resource you need to stay current.
The Current Landscape: 20+ States and Counting
As of June 2026, at least 20 US states have enacted comprehensive consumer data privacy laws, with several more signed but not yet effective. California started the wave in 2018 with the CCPA; Virginia followed in 2021. The pace accelerated sharply in 2023 and 2024, and 2026 brought six new laws into enforcement.
The term "comprehensive" matters here. Many more states have narrow data privacy laws covering specific sectors (health data, biometrics, children). This guide focuses on the broad consumer privacy statutes that impose obligations on businesses processing personal data generally, not just specific data types.
Despite multiple attempts, Congress has not passed a federal privacy bill. The American Data Privacy and Protection Act (ADPPA) stalled in 2022, and the American Privacy Rights Act (APRA) died in committee in 2024. Until federal legislation materializes, state laws are the entire regulatory framework for consumer data privacy in the US.
State-by-State Comparison Table
The table below covers every state with an active comprehensive privacy law as of mid-2026. "Opt-out" means businesses can process personal data freely unless the consumer explicitly opts out; "opt-in" for sensitive data means affirmative consent is required before processing categories like health, biometric, or geolocation data.
| State | Law | Effective Date | Consent Model | GPC Required | Private Right of Action |
|---|---|---|---|---|---|
| California | CCPA / CPRA | Jan 1, 2020 / Jan 1, 2023 | Opt-out; right to limit sensitive data | Yes | Yes (data breaches only) |
| Virginia | VCDPA | Jan 1, 2023 | Opt-out; opt-in for sensitive data | No | No |
| Colorado | CPA | Jul 1, 2023 | Opt-out; opt-in for sensitive data | Yes | No |
| Connecticut | CTDPA | Jul 1, 2023 | Opt-out; opt-in for sensitive data | Yes | No |
| Utah | UCPA | Dec 31, 2023 | Opt-out; opt-in for sensitive data | No | No |
| Iowa | ICDPA | Jan 1, 2025 | Opt-out; opt-in for sensitive data | No | No |
| Delaware | DPDPA | Jan 1, 2025 | Opt-out; opt-in for sensitive data | Yes | No |
| Nebraska | NDPA | Jan 1, 2025 | Opt-out | No | No |
| New Hampshire | NHPA | Jan 1, 2025 | Opt-out; opt-in for sensitive data | Yes | No |
| New Jersey | NJDPA | Jan 15, 2025 | Opt-out; opt-in for sensitive data | Yes | No |
| Minnesota | MCDPA | Jul 31, 2025 | Opt-out; opt-in for sensitive data | Yes | No |
| Montana | MTCDPA | Oct 1, 2024 | Opt-out; opt-in for sensitive data | Yes | No |
| Oregon | OCIPA | Jul 1, 2024 | Opt-out; opt-in for sensitive data | Yes | No |
| Texas | TDPSA | Jul 1, 2024 | Opt-out; opt-in for sensitive data | Yes | No |
| Florida | FDBR | Jul 1, 2024 | Opt-out | No | No |
| Tennessee | TIPA | Jul 1, 2025 | Opt-out; opt-in for sensitive data | No | No |
| Indiana | ICDPA | Jan 1, 2026 | Opt-out; opt-in for sensitive data | No | No |
| Kentucky | KCDPA | Jan 1, 2026 | Opt-out; opt-in for sensitive data | No | No |
| Rhode Island | RIDTPPA | Jan 1, 2026 | Opt-out; opt-in for sensitive data | No | No |
| Maryland | MODPA | Oct 1, 2025 | Opt-out; opt-in for sensitive data | Yes | No |
Pending/upcoming: Arkansas (ADRSTA, effective Jul 1, 2026), Louisiana (signed May 2026, effective date TBD). Several other states have active legislative proposals that could pass in late 2026 or 2027.
New in 2026: Indiana, Kentucky, Rhode Island, Maryland, and More
January 1, 2026 was a major milestone. Three new state laws went into enforcement simultaneously:
- Indiana (ICDPA) — Follows the Virginia template closely. Applies to businesses controlling or processing data of 100,000+ Indiana residents, or 25,000+ residents if deriving over 50% of gross revenue from data sales. Includes a 30-day cure period. AG enforcement only.
- Kentucky (KCDPA) — Similar to Virginia and Indiana. Penalties capped at $7,500 per violation. 30-day cure period. No GPC mandate.
- Rhode Island (RIDTPPA) — Notable for its low applicability thresholds: just 35,000 consumers, or 10,000 if 20% or more of revenue comes from data sales. No cure period — enforcement is immediate. Penalties up to $10,000 per violation.
Maryland's MODPA took effect October 1, 2025 and entered its first full enforcement year in 2026. It includes strong minor data protections and is among the states requiring GPC recognition.
On the horizon for mid-2026: Arkansas activates July 1, bringing both its comprehensive privacy law and the separate Arkansas Children and Teens' Online Privacy Protection Act (ACTOPPA) covering ages 13 to 16. Louisiana signed its comprehensive privacy act in late May 2026.
Several states also hit enforcement transition points in 2026. Montana's 60-day cure period expired April 1, 2026. New Jersey's cure period expires mid-2026. Connecticut's cure period already expired. The trend is clear: grace periods are ending, and attorneys general are moving from guidance to active enforcement.
The Trailblazer: California (CCPA/CPRA)
California's framework remains the most expansive and the most actively enforced US state privacy law. The original CCPA took effect January 1, 2020, and the CPRA (approved by ballot in November 2020) substantially amended and strengthened it starting January 1, 2023.
California stands apart in several ways:
- Dedicated enforcement agency. The California Privacy Protection Agency (CPPA) is the only state-level privacy agency in the US, separate from the AG's office. It issues regulations, conducts investigations, and brings enforcement actions.
- Private right of action. California is the only state where consumers can sue — though only for data breaches involving unencrypted personal information, not for general privacy violations.
- Data broker registration. California requires data brokers to register with the CPPA, with an expanded registration program effective August 1, 2026.
- GPC mandate. California explicitly requires businesses to honor Global Privacy Control signals as valid opt-out-of-sale requests.
- Right to limit use of sensitive data. Rather than a pure opt-in model for sensitive data, California uses a "right to limit" — consumers can restrict how their sensitive personal information is used after collection.
California also pioneered the concept of "sharing" as distinct from "sale" of personal data, covering cross-context behavioral advertising even when no money changes hands. Most newer state laws have adopted similar language.
The Virginia Template: VCDPA and Its Descendants
Virginia's Consumer Data Privacy Act (VCDPA), effective January 1, 2023, established the template that the majority of subsequent state laws have followed. While California's CCPA grew organically and was later amended heavily, the VCDPA was drafted with input from industry groups and provides a cleaner, more business-friendly framework.
Key features of the Virginia model:
- Opt-out for general data processing; opt-in consent required for sensitive data
- Data subject rights: access, correction, deletion, portability, and opt-out of sale, targeted advertising, and profiling
- Data protection assessments required for high-risk processing activities
- Exclusive AG enforcement — no private right of action
- No GPC mandate in the original Virginia law
States that closely follow the Virginia template include Indiana, Kentucky, Iowa, Tennessee, and Utah. Each has minor variations (different thresholds, cure periods, or definitions) but the core rights and obligations are structurally similar.
The Stricter Tier: Colorado, Connecticut, Oregon, Texas, and Delaware
Several states went beyond the Virginia baseline with stronger consumer protections:
- Colorado (CPA) — No cure period from the start. Requires honoring universal opt-out mechanisms like GPC. Includes a right to opt out of profiling decisions that produce legal or similarly significant effects.
- Connecticut (CTDPA) — One of the first to mandate GPC recognition. Cure period expired, moving into full enforcement mode.
- Oregon (OCIPA) — Requires GPC recognition. As of January 1, 2026, it prohibits the sale of minors' precise geolocation data — a provision unique among state privacy laws.
- Texas (TDPSA) — Notable for having no revenue or employee-count threshold: it applies to any entity conducting business in Texas that processes personal data, unless classified as a small business under SBA standards. Requires GPC recognition and includes AI governance requirements.
- Delaware (DPDPA) — Requires GPC. Its 60-day cure period expired December 31, 2025, putting it in a no-grace-period enforcement posture for 2026.
These states represent the current leading edge of US state privacy regulation, short of California's unique features.
Common Requirements Across All State Laws
Despite their differences, every US state comprehensive privacy law shares a core set of obligations. If you comply with these, you cover the baseline for all 20+ states:
Privacy Notice
Every law requires a clear, accessible privacy notice disclosing: categories of personal data collected, purposes of processing, categories of third parties with whom data is shared, how consumers can exercise their rights, and whether personal data is sold or used for targeted advertising.
Right to Opt Out
All states give consumers the right to opt out of at least one of: sale of personal data, targeted advertising, or certain forms of profiling. Most laws cover all three. The practical implication for websites: you need an opt-out mechanism, and your cookie consent tool must support it.
Data Subject Rights
Consumers in every state have at minimum the rights to: access their personal data, request deletion of their personal data, and obtain a portable copy. Most states also include the right to correct inaccurate data. Response timeframes vary but cluster around 45 days, with a possible 45-day extension.
Sensitive Data Protections
Every state (except Utah and Iowa in narrow ways) requires opt-in consent before processing sensitive personal data. The definition of "sensitive" varies but typically includes: racial or ethnic origin, religious beliefs, health or mental health data, biometric data, genetic data, precise geolocation, sexual orientation, and citizenship or immigration status. Children's data is universally considered sensitive — all states require opt-in consent for processing data of known children under 13, and many extend protections to ages 13 to 16.
Data Protection Assessments
Most states require businesses to conduct data protection assessments for high-risk processing activities, including targeted advertising, sale of personal data, profiling, and processing of sensitive data.
Global Privacy Control: Which States Require It
Global Privacy Control (GPC) is a browser-level signal that tells websites a user wants to opt out of the sale or sharing of their personal data. It's transmitted as an HTTP header (Sec-GPC: 1) and is supported natively by Brave, DuckDuckGo, Firefox, and several browser extensions. Chrome does not natively support GPC as of mid-2026.
As of June 2026, the following states explicitly require businesses to honor GPC or equivalent universal opt-out mechanisms:
- California (CCPA/CPRA)
- Colorado (CPA)
- Connecticut (CTDPA)
- Delaware (DPDPA)
- Maryland (MODPA)
- Minnesota (MCDPA)
- Montana (MTCDPA)
- New Hampshire (NHPA)
- New Jersey (NJDPA)
- Oregon (OCIPA)
- Texas (TDPSA)
That's 11 states — more than half of the active laws. The trajectory is clear: GPC recognition is becoming the norm, not the exception. In September 2025, California, Colorado, and Connecticut launched a coordinated GPC enforcement sweep, sending notices to businesses not honoring the signal. More joint enforcement actions are expected in 2026.
For website operators, the practical takeaway: detect the GPC signal and treat it as a valid opt-out request. Your consent management platform should be able to read the Sec-GPC header and suppress non-essential cookies accordingly for visitors from GPC-mandating states. See our deep dive on how GPC works and what it means for your site.
Opt-Out vs. Opt-In: How US Laws Differ from GDPR
The fundamental philosophical difference between US state privacy laws and the GDPR is the default state of consent:
- GDPR (opt-in): No personal data processing without prior, affirmative consent (with narrow legal basis exceptions). Non-essential cookies cannot be set until the user clicks "Accept." Businesses must prove they have consent.
- US state laws (opt-out): Businesses can process personal data by default. The burden shifts to the consumer to actively opt out of sale, sharing, or targeted advertising. Sensitive data is the exception — most states flip to opt-in for sensitive categories.
For cookie consent specifically, this creates a fundamentally different banner experience:
| Aspect | GDPR (EU/EEA) | US State Laws |
|---|---|---|
| Default cookie state | Blocked until consent | Active until opt-out |
| Banner purpose | Collect affirmative consent | Provide opt-out mechanism |
| Required buttons | Accept + Reject (equal prominence) | "Do Not Sell My Data" link |
| No interaction = ? | No consent; cookies stay blocked | Implied acceptance; cookies fire |
| Sensitive data | Explicit consent (Art. 9) | Opt-in consent in most states |
| Consent records | Must prove consent was given | Must prove opt-out was honored |
This distinction is critical for implementation. A GDPR-style banner that blocks everything by default is not wrong for US visitors — it's just unnecessarily restrictive and will hurt your analytics and ad data. Conversely, a US-style "opt-out only" approach in Europe is a serious compliance violation. You need different banner behavior by region, which is exactly the problem a regional consent system solves.
Practical Implementation: One Banner for Multiple US State Laws
The good news in the US patchwork: the laws are similar enough that a single, well-configured consent mechanism can cover all of them. You don't need 20 different banners. Here's what a compliant US implementation looks like:
1. Detect the Visitor's State
Use IP-based geolocation to determine which state's law applies. This doesn't need to be precise to the street — state-level accuracy is sufficient and readily available from standard geo-IP databases.
2. Show an Opt-Out Banner (Not Opt-In)
For US visitors, display a notice-style banner that informs them about data collection and provides a clear opt-out mechanism. Unlike GDPR banners, you don't need to block cookies before interaction — but you do need to make opting out genuinely easy.
California requires a "Do Not Sell or Share My Personal Information" link, and it's good practice to use similar language for all US states. Many businesses use a single "Your Privacy Choices" link that works across all jurisdictions.
3. Honor GPC Signals
For visitors from states that mandate GPC recognition, detect the Sec-GPC: 1 header and automatically suppress targeted advertising and data sale activities — without requiring the user to interact with your banner at all.
4. Handle Sensitive Data Categories Separately
Since most states require opt-in for sensitive data, ensure that any processing involving health, biometric, geolocation, or children's data has explicit prior consent, regardless of the visitor's state.
5. Maintain Response Infrastructure
All states require timely responses to data subject requests (access, deletion, correction). Build or adopt a system that can handle these requests within the 45-day window most states mandate.
How CookieBeam Handles US State-by-State Compliance
CookieBeam's regional consent system was designed specifically for this kind of multi-jurisdiction problem. Rather than forcing you to choose between "GDPR mode everywhere" (over-blocking for US visitors) or "US mode everywhere" (non-compliant in Europe), it applies the right legal framework based on where each visitor is located.
Here's how it works for US state privacy laws:
- Legal framework presets. CookieBeam includes built-in presets for major legal frameworks including CCPA, US opt-out states, GDPR, LGPD, PIPEDA, and UK GDPR. Each preset configures the appropriate consent mode (opt-in vs. opt-out), default button text, and banner behavior.
- State-level geo-targeting. Regional rules can target specific US states or groups of states. You can create one rule for California (CCPA-specific requirements), another for GPC-mandating states, and a fallback for remaining US states.
- GPC detection. CookieBeam detects the
Sec-GPCheader and can automatically honor it as an opt-out signal for visitors from states that require it. - Opt-out banner behavior. For US visitors, the banner shows a notice with opt-out controls rather than the blocking opt-in flow used for EU/EEA visitors. Cookies fire by default and stop if the user opts out — matching the legal requirement without over-restricting data collection.
- Per-region translation overrides. Banner text, button labels, and privacy notice links can be customized per region, so California visitors see "Do Not Sell or Share My Personal Information" while other US visitors see appropriate language for their state's law.
The practical benefit: you configure your rules once, and every visitor sees a legally appropriate experience. A visitor from Berlin gets GDPR opt-in blocking; a visitor from Austin gets Texas TDPSA opt-out; a visitor from Sacramento gets CCPA with GPC support. One banner deployment, multiple legal frameworks.
Enforcement Trends to Watch in 2026
Several developments are shaping how aggressively states will enforce their privacy laws in 2026 and beyond:
- Cure periods are expiring. Montana (April 2026), New Jersey (mid-2026), and several other states are moving from "warn first" to "enforce first" postures. Businesses that relied on cure periods to buy time need to be compliant now.
- Coordinated multi-state enforcement. The September 2025 joint GPC sweep by California, Colorado, and Connecticut set a precedent. Expect more coordinated actions targeting businesses that ignore universal opt-out signals.
- AG offices are staffing up. Texas, Oregon, and Colorado have all expanded their privacy enforcement teams. California's CPPA has been issuing regulations and conducting investigations at an increasing pace.
- Children's data is a priority. Multiple states are layering children-specific privacy protections on top of their general consumer privacy laws. Arkansas's ACTOPPA (effective July 2026) is the latest example. Enforcement actions involving children's data are likely to carry the stiffest penalties.
- No federal preemption in sight. With no realistic path to a federal privacy law in the current Congress, the state patchwork will continue to grow. Businesses cannot wait for federal legislation to simplify things — compliance with individual state laws is the only path.
Key Takeaways
- 20+ states now have active comprehensive privacy laws, with more coming. There is no federal law to simplify this.
- All US laws use an opt-out model for general data processing (unlike GDPR's opt-in). Sensitive data flips to opt-in in most states.
- 11 states require honoring GPC signals — and that number is growing. If you're not detecting and respecting
Sec-GPC: 1, you're already non-compliant in over half the regulated states. - Only California allows private lawsuits (data breach only). All other states rely on AG enforcement, with penalties of $7,500 to $10,000+ per violation.
- One well-configured consent tool can cover all US states. The laws are similar enough that a regional approach — different banner behavior by state or state group — provides compliant coverage without 20 separate implementations.
- Cure periods are ending. The grace period for getting compliance wrong is over in most states. 2026 is the year enforcement gets serious.
The patchwork is messy, but it's manageable. The key is treating US privacy compliance as a regional problem — which is exactly what it is — and using tools that adapt by jurisdiction rather than forcing a one-size-fits-all approach. For a deeper look at how to set up region-specific consent, see our guide on running one cookie banner across a global audience. For the GDPR side of the equation, start with our GDPR cookie compliance checklist and the comparison of GDPR vs CCPA vs PECR.