How Many States Have Data Privacy Laws in 2026? Complete Guide
The Short Answer: 20 States (Plus 1 Sector-Specific)
As of March 2026, 20 US states have enacted comprehensive consumer data privacy laws. Oklahoma became the 20th state when Governor Kevin Stitt signed SB 546 into law on March 20, 2026. Florida has a narrower, sector-specific digital privacy statute that applies only to certain large tech platforms.
Together, these laws cover more than half of the US population and affect businesses of virtually every size that collect personal data from consumers in these states.
All 20 States With Comprehensive Privacy Laws
Here is every state with an enacted comprehensive data privacy law, listed by effective date:
| State | Law Name | Effective Date | Status |
|---|---|---|---|
| California | CCPA / CPRA | Jan 1, 2020 | Active |
| Virginia | VCDPA | Jan 1, 2023 | Active |
| Colorado | CPA | Jul 1, 2023 | Active |
| Connecticut | CTDPA | Jul 1, 2023 | Active |
| Utah | UCPA | Dec 31, 2023 | Active |
| Iowa | ICDPA | Jan 1, 2025 | Active |
| Tennessee | TIPA | Jul 1, 2025 | Active |
| Montana | MCDPA | Oct 1, 2024 | Active |
| Texas | TDPSA | Jul 1, 2024 | Active |
| Oregon | OCPA | Jul 1, 2024 | Active |
| Delaware | DPDPA | Jan 1, 2025 | Active |
| New Hampshire | NH SB 255 | Jan 1, 2025 | Active |
| New Jersey | NJ SB 332 | Jan 15, 2025 | Active |
| Nebraska | NDPA | Jan 1, 2025 | Active |
| Minnesota | MCDPA | Jul 31, 2025 | Active |
| Maryland | MODPA | Oct 1, 2025 | Active |
| Indiana | INCDPA | Jan 1, 2026 | Active |
| Kentucky | KCDPA | Jan 1, 2026 | Active |
| Rhode Island | RIDPA | Jan 1, 2026 | Active |
| Oklahoma | OKCDPA | Jan 1, 2027 | Signed, not yet effective |
Florida also has a Digital Bill of Rights (SB 262), but it applies only to companies with $1 billion+ in global revenue or that operate large digital platforms, making it narrower than the comprehensive laws above.
Which States Had Privacy Laws Take Effect in 2026?
Three new state privacy laws became active on January 1, 2026: Indiana, Kentucky, and Rhode Island. This brought the total number of states with active, enforceable privacy laws from 16 to 19. Oklahoma's law was signed in March 2026 but won't take effect until January 1, 2027.
What Do These Laws Have in Common?
While each state's law has unique details, most comprehensive state privacy laws share several core features:
- Consumer rights — the right to access, delete, correct, and port personal data, plus the right to opt out of data sales and targeted advertising
- Business obligations — privacy notices, data protection assessments, data processing agreements with vendors, and reasonable security measures
- Applicability thresholds — typically based on the number of consumers whose data you process (often 100,000) or revenue derived from selling personal data
- AG enforcement — most laws are enforced exclusively by the state Attorney General (California is the exception, with its dedicated Privacy Protection Agency)
Key Differences Between State Privacy Laws
Despite the common framework, important differences exist across states that affect compliance strategy:
Applicability Thresholds
Thresholds vary significantly. California's CCPA applies to businesses with $25 million+ in annual revenue or that handle 100,000+ consumers' data. Texas and Montana have no revenue threshold at all. Rhode Island sets a lower bar at 35,000 consumers. Use our privacy law calculator to check which laws apply to your business.
Cure Periods
Several states give businesses a window to fix violations before penalties apply. Virginia provides a permanent 30-day cure period. Oregon's cure period expired January 1, 2026. Other states like California never offered one.
Private Right of Action
California is the only state that grants consumers a limited private right of action (for data breaches only). All other states rely solely on AG enforcement.
Universal Opt-Out Mechanisms
California, Colorado, Connecticut, Montana, Texas, Oregon, Delaware, New Hampshire, New Jersey, Minnesota, Maryland, and Nebraska require businesses to honor universal opt-out signals like Global Privacy Control (GPC). Check your obligations with our GPC compliance checker.
States That May Pass Privacy Laws Next
Several states have active privacy bills in their 2026 legislative sessions. Alabama's HB 351 passed the House unanimously and is awaiting a full Senate vote. The legislature returns from spring break on March 31, 2026, with the session scheduled to adjourn April 16. Pennsylvania, Ohio, Michigan, Vermont, and New York all have pending bills. Historically, roughly 5-8 new states per year have been enacting comprehensive laws since 2023.
What Does This Mean for Your Business?
If your business collects personal data from consumers in any of these 20 states — whether through a website, mobile app, or offline interactions — you likely need to comply with at least some of these laws. The practical impact depends on your company's size, revenue, and data practices.
Start by using our free privacy law calculator to determine which specific laws apply to you, then review the detailed state-by-state comparison to understand your obligations. For a step-by-step compliance plan, check the compliance checklists available for each state.
Last updated: March 28, 2026. We update this page as new laws are enacted. For the latest developments, see our compliance deadline tracker.
Disclaimer: PrivacyLawMap provides general information about US state privacy laws for educational purposes only. This is NOT legal advice. Privacy laws are complex and frequently amended. Consult with a qualified privacy attorney for advice specific to your business. PrivacyLawMap makes no warranties about the accuracy or completeness of this information.