How many US states have privacy laws in 2026?

As of March 2026, 21 US states have enacted comprehensive consumer privacy laws, with 15 currently in effect. California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Iowa (ICDPA), Delaware (DPDPA), New Hampshire (NHPA), New Jersey (NJDPA), Tennessee (TIPA), Indiana (ICDPA), and Nebraska (NDPA) are all active. Kentucky, Oklahoma, Maryland, Minnesota, Rhode Island, and Vermont laws take effect in 2026-2027.

Do US state privacy laws require cookie consent banners?

Most US state privacy laws use an opt-out model rather than requiring opt-in cookie consent banners like the GDPR. However, they do require mechanisms for consumers to opt out of the sale of personal data, targeted advertising, and profiling. Several states also require honoring universal opt-out mechanisms like the Global Privacy Control (GPC).

Is there a federal US privacy law?

As of 2026, there is no comprehensive federal privacy law in the United States. The American Privacy Rights Act (APRA) was introduced in 2024 but has not been enacted. The FTC enforces privacy through its general authority over unfair and deceptive practices, and sector-specific laws like HIPAA (health), COPPA (children), and FERPA (education) cover specific areas.

US State Privacy Laws: Complete Guide for 2026

As of March 2026, 21 US states have enacted comprehensive consumer privacy laws, with 15 currently in effect and 6 more taking effect through 2027. Unlike the EU, which has a single regulation (GDPR) covering all member states, the US has a patchwork of state-level laws with varying thresholds, rights, and enforcement mechanisms, and no federal privacy law.

The US privacy law landscape in 2026

The trend is accelerating. California led in 2020, and since then roughly 4-6 new states have enacted privacy laws each year. While the laws share common DNA (most are modeled on the Virginia or Connecticut frameworks), each has unique thresholds, exemptions, and enforcement approaches.

Key Point

The practical impact: if your website serves users across the US, you likely need to comply with multiple state privacy laws simultaneously. A geo-targeted consent approach is the most efficient way to handle this.

Active state privacy laws (as of February 2026)

State	Law	Effective	Revenue / Data Threshold
California	CCPA/CPRA	Jan 2020 / Jan 2023	$25M revenue, 100K consumers, or 50% revenue from data
Virginia	VCDPA	Jan 2023	100K consumers or 25K consumers + 50% revenue from data
Colorado	CPA	Jul 2023	100K consumers or 25K consumers + revenue from data
Connecticut	CTDPA	Jul 2023	100K consumers or 25K consumers + 25% revenue from data
Utah	UCPA	Dec 2023	$25M revenue + 100K consumers or 50% revenue from data
Texas	TDPSA	Jul 2024	Conducts business in Texas + processes personal data (no revenue threshold)
Oregon	OCPA	Jul 2024	100K consumers or 25K consumers + 25% revenue from data
Montana	MCDPA	Oct 2024	50K consumers (lower threshold due to smaller population)
Iowa	ICDPA	Jan 2025	100K consumers or 25K consumers + 50% revenue from data
Delaware	DPDPA	Jan 2025	35K consumers or 10K consumers + 20% revenue from data
New Hampshire	NHPA	Jan 2025	35K consumers or 10K consumers + 25% revenue from data
New Jersey	NJDPA	Jan 2025	100K consumers or 25K consumers + revenue from data
Tennessee	TIPA	Jul 2025	$25M revenue + 175K consumers or 25K consumers + 50% revenue from data
Indiana	ICDPA	Jan 2026	100K consumers or 25K consumers + 50% revenue from data
Nebraska	NDPA	Jan 2026	No revenue threshold; applies to entities that process personal data and are not small businesses

Texas and Nebraska stand out for having no revenue threshold, meaning even small businesses that process personal data may be covered.

Key rights across all active laws

Right	CA	VA	CO	CT	TX	OR
Right to access	✓	✓	✓	✓	✓	✓
Right to delete	✓	✓	✓	✓	✓	✓
Right to correct	✓	✓	✓	✓	✓	✓
Right to portability	✓	✓	✓	✓	✓	✓
Opt out of sale	✓	✓	✓	✓	✓	✓
Opt out of targeted ads	✓	✓	✓	✓	✓	✓
Opt out of profiling	✓	✓	✓	✓	✓	✓
Private right of action	✓*	✗	✗	✗	✗	✗
Honor GPC / universal opt-out	✓	✗	✓	✓	✓	✓

* California's private right of action is limited to data breaches only.

How US privacy laws affect cookie consent

Unlike the GDPR, most US state privacy laws do not require opt-in cookie consent banners. Instead, they use an opt-out model:

Businesses can set cookies by default (no prior consent needed)
Consumers must be able to opt out of the sale of personal data and targeted advertising
A "Do Not Sell or Share My Personal Information" link (or similar) must be provided
Several states require honoring the Global Privacy Control (GPC) browser signal
Sensitive data (health, biometrics, precise geolocation, etc.) generally requires opt-in consent

Important

GPC compliance is increasingly mandatory. California, Colorado, Connecticut, Texas, Oregon, Montana, and Delaware all require businesses to honor the Global Privacy Control signal. If your site doesn't detect and respect GPC, you may be non-compliant in multiple states.

Laws taking effect in 2026-2027

State	Law	Effective Date	Notable Features
Kentucky	KCDPA	Jan 2026	Modeled on Virginia; 100K consumer threshold
Oklahoma	SB 546	Jul 2026	Virginia-model; 100K consumers or 25K + 50% revenue from data; permanent 30-day cure period
Maryland	MODPA	Oct 2026	Stronger data minimization requirements
Minnesota	MCDPA	Jul 2026	Includes right to know specific data recipients
Rhode Island	RIDPA	Jan 2026	Modeled on Connecticut; 35K consumer threshold
Vermont	VDPA	Jul 2027	Includes private right of action (first beyond California)

Key Point

Vermont is notable: it will be the second state (after California) to include a private right of action, allowing consumers to directly sue businesses for privacy violations.

What about a federal privacy law?

As of 2026, there is no comprehensive federal privacy law in the United States. The most significant attempt, the American Privacy Rights Act (APRA), was introduced in April 2024 with bipartisan support but did not advance to a full vote.

Key sticking points include:

Federal preemption: whether a federal law should override state laws (California strongly opposes)
Private right of action: whether consumers should be able to sue directly
FTC enforcement authority and resources
Small business exemptions

Until a federal law passes, businesses must navigate the patchwork of state laws. The practical recommendation: build your privacy compliance for the strictest applicable law, then use geo-targeting to adjust the user experience per state.

How to stay compliant across all states

Implement a consent management platform with geo-targeting capability
Provide a clear "Do Not Sell or Share" opt-out mechanism
Honor Global Privacy Control (GPC) browser signals
Maintain a comprehensive, up-to-date privacy policy disclosing all required information
Offer consumer rights request mechanisms (access, delete, correct, opt-out)
Conduct regular data mapping to understand what data you collect and share
Require opt-in consent for sensitive personal data categories
Keep consent records for each user interaction

Tip

AutoCMP detects visitor location and automatically shows the appropriate consent experience: GDPR opt-in for EU visitors, state-appropriate opt-out for US visitors, and no banner where not required. GPC signals are honored automatically.

Frequently asked questions

Do I need to comply with every state's law?

You need to comply with the laws of states where your users are located, provided you meet that state's applicability thresholds. In practice, most businesses that meet California's thresholds will also meet other states' thresholds.

What is the Global Privacy Control (GPC)?

GPC is a browser-level signal that communicates a user's preference to opt out of data selling and sharing. It's supported by browsers like Firefox, Brave, and DuckDuckGo, as well as browser extensions. Multiple state laws now require businesses to honor it.

Does the CCPA apply to all businesses in California?

No. The CCPA only applies to for-profit businesses meeting at least one of three thresholds: $25 million annual revenue, processing data of 100,000+ consumers/households, or deriving 50%+ revenue from data sales. Note that Texas and Nebraska have no revenue threshold.

Will more states pass privacy laws?

Almost certainly. As of early 2026, additional states have active privacy bills in various stages. The pace has increased each year, and bipartisan support for consumer privacy continues to grow. We update this tracker as new laws are enacted.

Sources & References

California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100-1798.199.100)
Virginia Consumer Data Protection Act (Va. Code §§ 59.1-575 - 59.1-585)
Colorado Privacy Act (C.R.S. § 6-1-1301 et seq.)
Connecticut Data Privacy Act (Conn. Gen. Stat. §§ 42-515 - 42-525)
Texas Data Privacy and Security Act (Tex. Bus. & Com. Code Ch. 541)
Oklahoma SB 546 (Computer Data Privacy Act)
National Conference of State Legislatures: State Privacy Laws

This tracker is updated regularly but may not reflect the most recent legislative changes. This is informational content, not legal advice.

US State Privacy Laws: 2026 Tracker

In this article