As of 2026, 20 states have comprehensive consumer privacy laws in effect, marking a significant expansion of the U.S. privacy regulatory landscape.[3][4] Three new laws took effect on January 1, 2026—in Indiana, Kentucky, and Rhode Island—while existing laws in states like California, Connecticut, Colorado, Oregon, and Utah underwent substantial amendments that tightened compliance requirements.[2][4] The regulatory focus has shifted decisively from legislation to enforcement, with state attorneys general increasingly pursuing violations.[6]
Who's Involved
The 20 states with comprehensive privacy laws are California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia.[3] California remains the most influential jurisdiction, enforcing the strictest requirements and featuring unique provisions like a standalone revenue threshold of $26.625 million.[1] Most other states follow frameworks modeled on Virginia's Consumer Data Protection Act (VCDPA).[1] State attorneys general are leading enforcement efforts; for example, California's Attorney General achieved a $1.55 million settlement in July 2025 against an online health publisher for failing to honor opt-out requests and improperly sharing personal data.[6]
Basic Context
California's 2018 Consumer Privacy Act (CCPA), amended by the California Privacy Rights Act (CPRA), initiated the wave of state legislation.[5] Over five years, more than 20 states enacted comparable laws granting consumers standardized rights: access, deletion, correction, portability, and opt-out capabilities.[1] However, each state established divergent definitions, exemptions, applicability thresholds, and response timelines, creating a fragmented compliance landscape.[1] In 2026, amendments signal tightening enforcement—Connecticut lowered its applicability threshold from 100,000 to 35,000 consumers, while Colorado eliminated its cure period entirely.[2]
Why It's Newsworthy Now
Absent federal privacy legislation, states have become the primary privacy regulators in the U.S.[6] The transition from legislative expansion to active enforcement represents a critical shift for businesses: operational compliance failures now face heightened regulatory scrutiny, making privacy compliance a central risk-management function rather than a legal checkbox.[6] For companies operating nationally, the proliferation of divergent state requirements and stricter amendments create substantial compliance costs and competitive pressure.