Twenty Privacy Laws and Counting
California started it in 2018 with the CCPA. By March 2026, twenty US states have enacted comprehensive consumer privacy laws, with several more under active consideration. For website owners processing data across state lines, keeping track of each framework's quirks is no small task.
The good news: most of these laws follow a template first set by the Virginia Consumer Data Protection Act (VCDPA). The bad news: each state has introduced its own variations on applicability thresholds, opt-out rights, and enforcement powers. A handful of states - California, Maryland, and Nebraska among them - have gone further, adding stricter data minimisation or youth privacy protections.
This guide maps every active framework so you can identify which laws apply to your website and what each one requires.
Which States Have Privacy Laws in Effect?
The wave of state privacy legislation began with California's CCPA in 2020 and has accelerated sharply since 2023. Here is the full timeline of effective dates:
| State | Law | Effective Date |
|---|---|---|
| California | CCPA / CPRA | 1 Jan 2020 / 1 Jan 2023 |
| Virginia | VCDPA | 1 Jan 2023 |
| Colorado | CPA | 1 Jul 2023 |
| Connecticut | CTDPA | 1 Jul 2023 |
| Utah | UCPA | 31 Dec 2023 |
| Montana | MCDPA | 1 Oct 2024 |
| Oregon | OCPA | 1 Jul 2024 |
| Texas | TDPSA | 1 Jul 2024 |
| Delaware | DPDPA | 1 Jan 2025 |
| Iowa | ICDPA | 1 Jan 2025 |
| New Hampshire | NH SB 255 | 1 Jan 2025 |
| New Jersey | NJ SB 332 | 15 Jan 2025 |
| Tennessee | TIPA | 1 Jul 2025 |
| Minnesota | MCDPA | 31 Jul 2025 |
| Maryland | MODPA | 1 Oct 2025 |
| Nebraska | NDPA | 1 Jan 2026 |
| Indiana | ICDPA | 1 Jan 2026 |
| Kentucky | KCDPA | 1 Jan 2026 |
| Rhode Island | RIDTPPA | 1 Jan 2026 |
| Arkansas | APDPA | 1 Jul 2026 |
Eight states - Colorado, Connecticut, Kentucky, Montana, Oregon, Texas, Utah, and Virginia - have already amended their original laws, adding provisions such as mandatory universal opt-out signal recognition.
Applicability Thresholds Compared
Not every business falls under every law. Each state sets its own thresholds based on the volume of personal data processed and, in some cases, revenue derived from selling that data.
The most common pattern uses a two-pronged test: either process personal data of 100,000 or more state residents, or process data of 25,000 residents while deriving more than 25% of gross revenue from data sales. Virginia, Colorado, Connecticut, and most newer laws follow this structure.
Several states diverge from that pattern. Rhode Island's law sets notably low thresholds - just 35,000 consumers, or 10,000 if more than 20% of revenue comes from data sales. Texas and Nebraska take a different approach entirely, applying to all businesses that process or sell personal data and are not classified as small businesses under the US Small Business Administration definition.
California remains unique. The CCPA applies to for-profit businesses that meet any one of three criteria: annual gross revenue exceeding $25 million, buying or selling personal information of 100,000 or more consumers, or deriving 50% or more of annual revenue from selling personal information.
Opt-Out Rights: What Consumers Can Refuse
Every US state privacy law provides consumers with the right to opt out of the sale of their personal data. Most also cover targeted advertising and, to varying degrees, profiling.
California's framework is the broadest, covering both "sale" and "sharing" of personal information - where sharing specifically means cross-context behavioural advertising. The CCPA opt-out requirements also mandate a visible "Do Not Sell or Share My Personal Information" link on your website.
The Virginia-model states - which include Colorado, Connecticut, Indiana, Kentucky, Montana, Oregon, and others - provide three distinct opt-out rights: sale of personal data, targeted advertising, and certain types of profiling. Iowa is the narrowest, covering only sale and targeted advertising without a profiling opt-out.
Youth Consent Requirements
States vary on when opt-in consent is required for younger users. California requires opt-in consent for sale or sharing involving consumers under 16. New Jersey raises this to 17, while Delaware sets the bar at 18.
Maryland goes further than most, restricting the sale of personal data of minors under 18 and prohibiting targeted advertising directed at minors altogether.
Global Privacy Control and Universal Opt-Out Signals
Global Privacy Control (GPC) is a browser-level signal that tells websites a visitor wants to opt out of the sale or sharing of their personal data. As of early 2026, a growing list of states requires businesses to honour this signal.
States with mandatory GPC or universal opt-out signal recognition include California, Colorado, Connecticut, Delaware, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, and Texas. That is twelve states - more than half of all frameworks on the books.
California, Colorado, and Connecticut have announced a joint investigative sweep targeting businesses that fail to honour GPC opt-outs. If your website receives traffic from these states, implementing GPC detection is not optional.
The remaining states either do not yet require universal opt-out signal recognition or have not specified a timeline. Utah and Iowa, for example, do not mandate GPC support.
Enforcement and Penalties
All twenty state privacy laws are enforced by the state Attorney General. California is the only state that also has a dedicated enforcement agency - the California Privacy Protection Agency (CPPA).
Most laws include a cure period, typically 30 or 60 days, during which businesses can remedy a violation before facing penalties. Several states have begun sunsetting these cure periods. Colorado's cure period expired on 1 January 2025. Connecticut's has also been removed following its 2025 amendments.
Penalties typically range from $2,500 to $7,500 per violation, though the cumulative effect of per-violation fines across millions of data subjects can be substantial. California's CPPA has been particularly active, and several high-profile enforcement actions have targeted inadequate consent mechanisms.
Key Differences at a Glance
| Feature | California (CCPA/CPRA) | Virginia Model | Texas / Nebraska |
|---|---|---|---|
| Revenue threshold | $25M annual revenue | None | None (not small business) |
| Processing threshold | 100K consumers | 100K or 25K + revenue % | No numeric threshold |
| Opt-out: sale | Yes | Yes | Yes |
| Opt-out: targeted ads | Yes (via "sharing") | Yes | Yes |
| Opt-out: profiling | Yes | Most states yes | Yes |
| GPC required | Yes | Varies by state | Texas yes, Nebraska yes |
| Private right of action | Data breaches only | No | No |
| Dedicated agency | CPPA | No (AG only) | No (AG only) |
| Cure period | 30 days (CPPA discretion) | 30-60 days (some expiring) | 30 days |
What This Means for Your Website
If your website attracts visitors from multiple US states, you are almost certainly subject to at least one of these laws. The practical approach is to build your consent mechanism around the strictest requirements and apply it broadly.
Start by scanning your site to identify every cookie and tracker in use. A free cookie scan will show you exactly what third-party scripts are loading and which ones set non-essential cookies like _ga, _fbp, or _gcl_au.
Configure your cookie banner to detect visitor location and apply the correct consent model. For US visitors from states with privacy laws, this means honouring opt-out requests and recognising GPC signals where required. For visitors from states without privacy laws, you may still want to provide an opt-out mechanism as a matter of good practice - and because new laws continue to pass each year.
Frequently Asked Questions
How many US states have consumer privacy laws in 2026?
As of March 2026, twenty US states have enacted comprehensive consumer privacy laws. These include California, Virginia, Colorado, Connecticut, Utah, Montana, Oregon, Texas, Delaware, Iowa, New Hampshire, New Jersey, Tennessee, Minnesota, Maryland, Nebraska, Indiana, Kentucky, Rhode Island, and Arkansas (effective July 2026).
Do I need to comply with every state privacy law?
You must comply with a state's privacy law if you meet its applicability thresholds and process personal data of that state's residents. If your website receives traffic from all fifty states, you likely need to comply with multiple frameworks. Building to the strictest standard simplifies multi-state compliance.
Which US state privacy laws require honouring GPC signals?
Twelve states currently require businesses to honour Global Privacy Control or similar universal opt-out signals: California, Colorado, Connecticut, Delaware, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, and Texas.
What are the penalties for violating US state privacy laws?
Penalties typically range from $2,500 to $7,500 per violation, enforced by the state Attorney General. California also has a dedicated enforcement agency, the CPPA. Fines are calculated per violation, so non-compliance affecting many consumers can result in significant total penalties.
Is there a federal US privacy law?
No comprehensive federal privacy law exists as of March 2026. The American Privacy Rights Act (APRA) has been proposed but has not passed. Until federal legislation is enacted, businesses must comply with individual state laws.
Do US state privacy laws apply to non-US businesses?
Yes. Most US state privacy laws apply to any business that processes personal data of state residents, regardless of where the business is located. If your website targets or collects data from US consumers, these laws may apply to you.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
