US State Data Privacy Laws 2026: The Complete Matrix Every Business Needs

#The state-by-state patchwork

In our experience working with mid-market clients, the gap is always wider than the paper-based assessment suggests.

The US lacks a federal comprehensive data privacy law. Congress has discussed it repeatedly (ADPPA, APRA, various other proposals) but nothing has passed. In the absence of federal legislation, states have stepped in. Rapidly and with variation.

As of April 2026, the states with active comprehensive data privacy laws:

• California. CCPA (2018) + CPRA (2020). The original and most comprehensive
• Virginia. VCDPA (2021, effective 2023)
• Colorado. CPA (2021, effective 2023)
• Connecticut. CTDPA (2022, effective 2023, amendments effective 2025-2026)
• Utah. UCPA (2022, effective 2023)
• Iowa. ICDPA (2023, effective 2025)
• Indiana. Indiana Consumer Data Protection Act (2023, effective 2026)
• Tennessee. TIPA (2023, effective 2025)
• Texas. TDPSA (2023, effective 2024)
• Oregon. OCPA (2023, effective 2024)
• Montana. MCDPA (2023, effective 2024)
• Delaware. DPDPA (2023, effective 2025)
• Florida. FDBR (2023, effective 2024)
• New Hampshire. NH 2024-1 (2024, effective 2025)
• New Jersey. NJDPA (2024, effective 2025)
• Kentucky, Maryland, Minnesota, Rhode Island, Nebraska. Various 2024-2025 laws
• Additional states continuing to pass legislation in 2025-2026

For a business operating across the US, this is a patchwork of overlapping requirements. Each state's law has slightly different definitions, thresholds, consumer rights, enforcement mechanisms, and penalties.

This post is the practical matrix. What each law covers, who it applies to, what it requires. And the unified approach that gets you compliant with most of them with a single program.

#The trigger thresholds

Each state law has specific thresholds for when the law applies. Not every business doing business in California needs to comply with CCPA, for instance. Below are the most common triggering criteria.

#California (CCPA/CPRA)

Applies to for-profit businesses doing business in California that meet at least one of:

• Annual gross revenue > $25 million
• Process personal information of 100,000+ California consumers or households annually
• Derive 50%+ of annual revenue from selling/sharing personal information

Expanded by CPRA: adds more detailed requirements for businesses meeting the thresholds.

#Virginia (VCDPA)

Applies to businesses doing business in Virginia that:

• Process personal data of 100,000+ Virginia consumers annually, OR
• Process personal data of 25,000+ Virginia consumers and derive 50%+ of gross revenue from selling personal data

#Colorado (CPA)

Applies to businesses that conduct business in Colorado or produce products/services targeted to Colorado residents and:

• Process personal data of 100,000+ Colorado consumers annually, OR
• Process personal data of 25,000+ Colorado consumers and derive revenue/discounts from selling personal data

#Connecticut (CTDPA)

Effective 2023, amended 2025 and further amendments taking effect July 2026.

Applies to persons conducting business in Connecticut or producing products/services targeted to Connecticut residents that:

• Process personal data of 100,000+ Connecticut consumers annually (excluding data processed solely for payment transactions), OR
• Process personal data of 25,000+ Connecticut consumers and derive 25%+ of gross revenue from sale of personal data

2026 amendments tighten several provisions. We cover these specifically below.

#Utah (UCPA)

Applies to persons conducting business in Utah or producing products/services targeted to Utah residents:

• Annual revenue of $25 million+ AND
• Process personal data of 100,000+ Utah consumers annually, OR
• Derive 50%+ of revenue from sale of personal data and process personal data of 25,000+ Utah consumers

#Texas (TDPSA)

Applies to persons conducting business in Texas or producing products/services targeted to Texas residents that:

• Process or engage in the sale of personal data, AND
• Aren't small businesses as defined by the US SBA

Unique among state laws for using SBA's small business definition than numerical thresholds.

#Others

Most other states follow the "100,000 consumers OR 25,000 + revenue from selling data" pattern with minor variations.

#The common consumer rights

Most state laws grant consumers the following rights over their personal information:

#Right to access / know

Consumers can request disclosure of what personal information a business holds about them.

#Right to delete

Consumers can request deletion of their personal information (with exceptions for legal obligations, security, ongoing transactions).

#Right to correct

Consumers can request correction of inaccurate personal information. (Not all states. Utah's law is weaker on this.)

#Right to portability

Consumers can receive their data in a usable, portable format.

#Right to opt out of sale / sharing

Consumers can direct businesses to stop selling or sharing their personal information.

#Right to opt out of targeted advertising

Most states (not all) allow consumers to opt out of data processing for targeted advertising.

#Right to opt out of profiling / automated decisions

Some states grant the right to opt out of "profiling" that produces "legal or similarly significant effects."

#Right to non-discrimination

Businesses can't retaliate against consumers who exercise their rights.

#Right to appeal

Consumers can appeal if their rights requests are denied.

#The business obligations

Beyond consumer rights, state laws impose specific obligations:

#Privacy policy / notice

Detailed privacy notices describing:

• What personal information is collected
• Why
• Sources
• Third parties with whom it's shared
• Consumer rights and how to exercise them
• Retention periods

#Purpose limitation

Collect only the personal information necessary for specific, legitimate purposes. Don't repurpose beyond disclosed uses.

#Data minimization

Collect only what's needed. Retain only as long as necessary.

#Sensitive data special protections

Most state laws designate "sensitive data" (SSN, health information, precise geolocation, biometric data, etc.) requiring:

• Explicit consent before collection/processing, OR
• Specific opt-out opportunities

#Data protection assessments (DPAs)

For high-risk processing activities, conduct documented assessments weighing benefits against risks. Required by: Virginia, Colorado, Connecticut, others.

#Contracts with processors/vendors

Contracts with third parties processing consumer data must include specific terms (processing limitations, security obligations, deletion on termination, etc.).

#Security requirements

"Reasonable security" standard in most states. Texas's SB 2610 (covered in our Texas SB 2610 post) provides a safe harbor for framework-aligned businesses.

#Global Privacy Control (GPC)

California, Colorado, Connecticut, and others require businesses to recognize the GPC signal as an opt-out-of-sale preference. Website must respect GPC from consumers' browsers.

#The state-by-state matrix

The condensed comparison across major laws:

| Feature | CA (CCPA/CPRA) | VA (VCDPA) | CO (CPA) | CT (CTDPA) | UT (UCPA) | TX (TDPSA) |

|---|---|---|---|---|---|---|

| Right to access | Yes | Yes | Yes | Yes | Yes | Yes |

| Right to delete | Yes | Yes | Yes | Yes | Yes | Yes |

| Right to correct | Yes | Yes | Yes | Yes | Limited | Yes |

| Right to portability | Yes | Yes | Yes | Yes | Yes | Yes |

| Right to opt-out of sale | Yes | Yes | Yes | Yes | Yes | Yes |

| Right to opt-out of targeted ads | Yes | Yes | Yes | Yes | Yes | Yes |

| Right to opt-out of profiling | Yes | Yes | Yes | Yes | No | Yes |

| Sensitive data consent | Yes (opt-out) | Yes (opt-in) | Yes (opt-in) | Yes (opt-in) | Yes (opt-out) | Yes (opt-in) |

| Data protection assessments | Yes | Yes | Yes | Yes | No | Yes |

| Private right of action | Limited (breaches) | No | No | No | No | No |

| GPC recognition | Yes | No | Yes | Yes | No | No |

| Civil penalties | Up to $7,500 per violation | Up to $7,500 per violation | Up to $20,000 per violation | Up to $5,000 per violation | Up to $7,500 per violation | Up to $7,500 per violation |

| Cure period | Limited (ended 2023) | 30 days | 60 days (ending 2025) | 60 days | Varies | 30 days |

This table is simplified. Each law has specific exemptions, nuances, and recent amendments. Consult legal counsel for your specific situation.

#California. The leader

California's laws remain the most comprehensive and most enforced:

CCPA (effective 2020) was the first comprehensive state privacy law. Established consumer rights, notice requirements, opt-out mechanisms.

CPRA (effective 2023) added:

• Creation of California Privacy Protection Agency (CPPA). Dedicated regulator
• Sensitive data category with additional rights
• Right to correction
• Contractor/processor distinctions
• Risk assessments required for high-risk processing

Enforcement in 2024-2026:

• CPPA has issued regulations and begun enforcement actions
• Fines in multiple ranges, with several high-profile enforcement actions
• Ongoing rulemaking on automated decision-making
• Active audits of companies claiming exemptions

California's law is the de facto baseline. Companies subject to CCPA/CPRA often extend compliance to all US consumers, simplifying multi-state compliance.

#Connecticut. July 2026 amendments

CT's CTDPA amendments taking effect in July 2026 are particularly relevant for:

Lower applicability thresholds:

• Reduced consumer count thresholds
• More businesses now covered

Expanded consumer rights:

• Right to list of all categories of personal data
• Right to opt out of all sharing, not sale

Enhanced enforcement:

• Reduced cure period (from 60 days to less for repeat violators)
• Enhanced AG authority
• Increased penalties

Impact on businesses:

Particularly relevant for New England-focused businesses, including Valtik's Connecticut prospects.

#Texas TDPSA. The 2024 entry

Texas's TDPSA (effective July 2024) uses the SBA small business definition:

• Small business (as defined by SBA) = exempt
• Everyone else = subject

For most SMBs, this means: check SBA size standards for your industry. If you're above, you're subject.

Texas's TDPSA includes robust consumer rights and specific security requirements. Combined with Texas's SB 2610 safe harbor (for cybersecurity framework compliance), Texas has become a relatively protective regulatory environment for compliant businesses. But a risky one for non-compliant ones given Texas AG's active enforcement (the $1.375B Google settlement, $1.4B Meta settlement, etc.).

#Sensitive data special protections

"Sensitive data" varies by state but typically includes:

• Social Security Numbers
• Financial account information
• Health information
• Biometric data (fingerprints, facial recognition templates, etc.)
• Precise geolocation
• Racial or ethnic origin
• Religious beliefs
• Sexual orientation
• Immigration status (newer laws)
• Citizenship status
• Children's data (always heightened protection)

For sensitive data, most states require:

• Opt-in consent before processing (VA, CO, CT, TX and most)
• Specific disclosures in privacy notices
• Additional safeguards
• Separate consent for different purposes

California uses an opt-out model (users can restrict sensitive data use), but the effect is similar.

#Children's data

All state laws have enhanced protections for children, typically:

• Under 13: COPPA applies federally. State laws defer to COPPA
• 13-17: opt-in consent required for sale of personal information. Often opt-in for targeted advertising

California's CCPA specifically prohibits selling personal information of consumers under 16 without opt-in consent.

#Biometric data

Several states have specific biometric information laws separate from comprehensive privacy laws:

• Illinois BIPA. Powerful private right of action, significant judgments
• Texas CUBI. State AG enforcement
• Washington Biometric Privacy Act
• New York, Colorado. Within their broader privacy laws
• Maryland, Oregon, Connecticut. Various provisions

BIPA has produced billions in judgments against companies misusing biometric data. It's the most aggressive state biometric privacy law. Companies handling biometric data need specific BIPA compliance beyond general state privacy compliance.

#Health information

State privacy laws interact with HIPAA:

• HIPAA-covered entities are often exempt from state privacy laws for HIPAA-regulated data
• Non-HIPAA health data (from health apps, wearables, etc.) is covered by state privacy laws
• Washington My Health My Data Act and California's AB 2192 specifically target non-HIPAA health data
• State AG enforcement for health data mishandling increasing

Organizations handling health data need specific analysis of HIPAA vs. state privacy law applicability.

#The unified compliance approach

For businesses subject to multiple state laws, the unified approach:

#Step 1: adopt California's framework as baseline

California is the most comprehensive. If you comply with CCPA/CPRA for all US consumers (not Californians), you likely comply with most other states.

Implementation:

• Privacy notice meeting California requirements
• Consumer rights request handling (access, delete, correct, opt-out)
• Sensitive data special handling
• Data protection assessments for high-risk processing
• Vendor contracts with required terms
• Global Privacy Control recognition

#Step 2: extend to all state residents

Apply the same rights and protections to all US residents, not California. Simpler and more compliant with multi-state laws.

Benefits:

• Single privacy program, not 10+ state-specific programs
• Reduces risk of inadvertent non-compliance
• Builds customer trust (perceived as privacy-respecting)

#Step 3: layer state-specific additions

Some state laws have unique requirements:

• Illinois BIPA: if handling biometric data
• Washington MHMDA: if handling non-HIPAA health data
• Connecticut CTDPA 2026: if CT consumers

Layer these on top of the California baseline.

#Step 4: operationalize request handling

Consumer rights requests need operational capability:

• Intake: web form, email, phone, physical mail
• Identity verification: balance privacy with security
• Routing: to the right internal team
• Fulfillment: execution of the request
• Response timeline: 30-45 days depending on state
• Documentation: for compliance audits
• Appeal process: for denied requests

Commercial privacy platforms help (OneTrust, Transcend, DataGrail, Ketch, Privado, Osano). Smaller organizations can build basic handling internally.

#Step 5: vendor management

Every vendor processing personal data needs:

• Contract with required privacy terms
• Processing instructions
• Security obligations
• Deletion requirements

Existing vendor risk management (see our SaaS vendor checklist) should include privacy terms.

#Step 6: ongoing monitoring

• Monitor state legislation (new laws, amendments)
• Update privacy notices when practices change
• Regular program audits
• Incident response for data breaches

#The penalty landscape

State privacy laws have real penalties:

California:

• Up to $7,500 per intentional violation
• Up to $2,500 per unintentional violation
• CPRA: up to $7,500 per consumer affected
• Private right of action for certain data breaches ($100-$750 per consumer)

Most other states:

• $5,000-$7,500 per violation
• Colorado: up to $20,000 per violation (highest)

Penalty calculation:

• "Per violation" often means "per consumer affected" or "per incident"
• Large-scale violations (100,000+ consumers) can result in penalties in the tens of millions

Recent enforcement actions:

• California CPPA against SaaS company (2024): $1.4M penalty for tracking violations
• Texas AG Google settlement (2024): $1.375 billion for biometric and privacy violations
• Texas AG Meta settlement (2024): $1.4 billion for facial recognition data
• Colorado AG enforcement actions against multiple data-broker-adjacent companies
• Oregon AG early enforcement under OCPA

Enforcement is ramping up in 2024-2026. Regulators are investing in staffing and enforcement infrastructure.

#For small businesses

Small businesses with limited cross-state exposure can often focus on:

1. Basic privacy policy covering collection, use, sharing, retention
2. Consumer rights intake process (even if manual)
3. Response timeline compliance
4. Sensitive data handling if applicable
5. Vendor contracts with standard privacy terms

Full multi-state compliance programs may be excessive for small businesses below most state thresholds. However, California's thresholds are common enough that many small businesses are subject.

#For mid-market companies

Mid-market companies typically need:

• Privacy program lead (dedicated or fractional)
• Privacy management platform for intake/tracking
• Legal counsel specializing in privacy
• Cross-functional team (legal, engineering, marketing, sales)
• Annual program review

Investment: $50K-$250K/year for meaningful mid-market privacy program.

#For enterprises

Enterprise privacy programs include:

• Chief Privacy Officer
• Dedicated privacy team (compliance, engineering, legal)
• Privacy management platform (OneTrust, Transcend, DataGrail)
• Regular privacy impact assessments
• Board-level privacy reporting
• Integration with broader GRC
• International expansion considerations (GDPR, LGPD, others)

Investment: $500K-$10M+/year for enterprise programs.

#Integration with other compliance

Privacy programs overlap with:

• GDPR (EU operations)
• LGPD (Brazil)
• PIPEDA (Canada)
• HIPAA (US health data)
• GLBA (US financial data)
• SOX, SOC 2 (US public companies / SaaS)
• PCI DSS (US payment data)

Unified approach to privacy + security + compliance reduces duplication.

#For Valtik clients

Valtik's privacy program consultations cover:

• State privacy law applicability analysis for your business
• Privacy program design scaled to organization size
• Privacy policy and notice development
• Consumer rights intake and fulfillment processes
• Vendor contract review for privacy terms
• Integration with security program (overlap with our security audit offerings)

For businesses uncertain about their state privacy compliance posture, we offer a two-hour initial consultation to assess applicability and sketch program outline. Reach out via https://valtikstudios.com.

#The honest summary

US state privacy law is a patchwork that's only going to grow more complex. More states passing laws each year. Existing laws getting amended. Enforcement increasing. Penalties growing.

For any business handling personal information at scale, privacy compliance is now a real operational obligation. Not an "eventually we'll deal with it" item. The penalty exposure is material. The enforcement is active.

Start with California compliance. Extend to all US residents. Layer on state-specific additions. Operationalize consumer rights handling. Manage vendor privacy. Monitor the regulatory landscape.

The alternative. Waiting for federal preemption that may never come, or waiting for enforcement to force action. Is increasingly the riskier path.

#Sources

1. California Privacy Protection Agency
2. California Consumer Privacy Act Text
3. Virginia VCDPA Text
4. Colorado Privacy Act
5. Connecticut CTDPA
6. Utah UCPA
7. Texas TDPSA
8. IAPP State Privacy Law Tracker
9. NCSL State Data Privacy Laws Summary
10. State AG Privacy Enforcement Tracker