PrivacyLawMap
Back to Blog
Compliance GuidesMarch 29, 202612 min read

Privacy Policy Requirements by State: What US Privacy Laws Require in Your Privacy Notice

Share:

Why Your Privacy Policy Matters More Than Ever

With 21 US states now enforcing comprehensive privacy laws, your website privacy policy is no longer just legal boilerplate — it is a compliance document that regulators actively review. In March 2026 alone, the California Privacy Protection Agency fined Ford Motor Company $375,703 partly for inadequate privacy disclosures around opt-out rights, and PlayOn Sports $1.1 million for deficient privacy practices.

Every state privacy law requires businesses to maintain a privacy policy (often called a "privacy notice") that meets specific disclosure requirements. The challenge: each state's requirements differ. This guide breaks down what each state law demands, so you can build a single privacy policy that satisfies all of them.

Use our Privacy Law Calculator to determine which state laws apply to your business before building your privacy policy.

Universal Requirements: What Every State Law Demands

While each state law has unique provisions, all 21 comprehensive state privacy laws share a common set of baseline privacy policy requirements. Your privacy notice must disclose:

  • Categories of personal data collected — What types of information you gather (identifiers, commercial data, geolocation, biometric, etc.)
  • Purposes of processing — Why you collect and use each category of data
  • Categories of third parties — Who you share personal data with and why
  • Consumer rights — What rights consumers have under applicable laws and how to exercise them
  • Contact information — How consumers can reach you with privacy questions or requests
  • Effective date — When the policy was last updated

Beyond these basics, individual states layer on additional requirements. The table below maps the key differences.

State-by-State Privacy Policy Requirements

Requirement CA (CCPA/CPRA) VA (VCDPA) CO (CPA) CT (CTDPA) TX (TDPSA)
Categories of data collected Yes — must list specific categories from CCPA taxonomy Yes Yes Yes Yes
Purpose of collection Yes — per category Yes Yes Yes Yes
"Do Not Sell" link required Yes — prominent link No No No Yes — if selling data
Opt-out preference signal disclosure Yes — must describe how signals are honored No Yes — must honor universal opt-out Yes — must honor universal opt-out Yes — must honor universal opt-out
Sensitive data disclosure Yes — separate category Yes — consent required Yes — consent required Yes — consent required Yes — consent required
Data retention periods Yes — per category No Yes — must specify No No
Sale of data disclosure Yes — categories sold in past 12 months Yes — if applicable Yes — if applicable Yes — if applicable Yes — if applicable
Financial incentive disclosure Yes — loyalty programs, price differences No No No No
Right to appeal No Yes — must describe process Yes — must describe process Yes — must describe process Yes — must describe process
Minors/children provision Yes — opt-in for under-16 Yes — opt-in for known children Yes — opt-in for known children Yes — opt-in for under-16 Yes — opt-in for known children

For a detailed side-by-side comparison of all state laws, use our State Privacy Law Comparison Tool.

California (CCPA/CPRA): The Most Demanding Requirements

California's privacy policy requirements are the most extensive of any US state. Your CCPA-compliant privacy notice must include all of the following:

  1. Right to know disclosure — Categories of personal information collected, sources, purposes, and third parties with whom data is shared, all organized using the CCPA's specific data categories (identifiers, commercial information, biometric data, internet activity, geolocation, professional information, education information, inferences).
  2. "Do Not Sell or Share My Personal Information" link — A clear, conspicuous link on your homepage. The Ford fine shows that California regulators scrutinize exactly how accessible this mechanism is.
  3. Opt-out preference signal statement — Disclosure of whether and how you honor GPC and other opt-out preference signals. See our GPC Compliance Checker.
  4. Data retention periods — How long you retain each category of personal information, or the criteria used to determine retention periods. Our data retention policy guide walks through this requirement.
  5. Financial incentive notice — If you offer loyalty programs or price differences based on personal data, describe the material terms and how consumers can opt in or out.
  6. 12-month look-back disclosures — Categories of data collected, sold, and disclosed for a business purpose in the preceding 12 months.
  7. Consumer rights summary — The right to know, delete, correct, opt out, and limit use of sensitive data, plus how to exercise each right.
  8. Authorized agent instructions — How consumers can designate an authorized agent to submit requests on their behalf.
  9. Non-discrimination statement — A statement that you will not discriminate against consumers who exercise their privacy rights.

For the complete California requirements, see our California CCPA/CPRA state page and compliance checklist.

Virginia, Colorado, Connecticut, and Other "Washington Model" States

Most state privacy laws follow what's called the "Washington Privacy Act" model. These include Virginia, Colorado, Connecticut, Indiana, Iowa, Kentucky, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Delaware, and Oklahoma.

These states share similar (but not identical) privacy notice requirements:

  • Categories of personal data processed and purposes of processing
  • Consumer rights — access, deletion, correction, portability, and opt-out of targeted advertising, sale, and profiling
  • How to exercise rights — including one or more methods for submitting requests
  • Appeal process — most "Washington model" states require you to describe how consumers can appeal a denied request (California does not require this)
  • Third-party sharing — categories of data shared and categories of recipients
  • Sensitive data handling — how you handle sensitive data categories, typically requiring opt-in consent

Texas and Maryland: Notable Differences

Texas (TDPSA)

The Texas Data Privacy and Security Act largely follows the Washington model but adds a notable requirement: if you sell personal data, you must include a conspicuous mechanism for opting out, similar to California's "Do Not Sell" link requirement. Texas also has no revenue threshold — any business processing Texas resident data may be subject to the law.

Maryland (MODPA)

The Maryland Online Data Privacy Act, which began enforcement on April 1, 2026, is the strictest state privacy law outside California. Key differences for your privacy policy:

  • Data minimization disclosure — You must disclose that you only collect data that is reasonably necessary and proportionate to the purpose. Maryland's minimization standard is stricter than any other state. See our data minimization guide.
  • No sale of sensitive data — Maryland prohibits selling sensitive data entirely (not just requiring consent), so your privacy policy must reflect that sensitive data is never sold.
  • Broader definition of sale — Maryland defines "sale" to include any exchange for valuable consideration, not just monetary exchange.

For a complete Maryland compliance breakdown, read our Maryland MODPA enforcement guide.

10-Point Privacy Policy Compliance Checklist

Use this checklist to ensure your privacy policy meets the requirements of all applicable state privacy laws:

  1. List all categories of personal data collected — Use the CCPA taxonomy as a baseline since it is the most granular. Include identifiers, commercial information, internet activity, geolocation, biometric data, professional data, education data, and inferences.
  2. State the purpose for each data category — Be specific. "Business purposes" is not sufficient — explain what those purposes are (order fulfillment, customer support, analytics, advertising, etc.).
  3. Identify all third-party recipients — Categorize who receives data: service providers, contractors, advertising partners, analytics providers, affiliated entities.
  4. Include all required consumer rights — Access, deletion, correction, portability, opt-out of sale, opt-out of targeted advertising, opt-out of profiling. List the specific rights granted by each applicable state law.
  5. Describe how to exercise each right — Provide at least two methods (e.g., web form and email). Include expected response timeframes (typically 45 days with possible 45-day extension).
  6. Add an appeal process — Required by Virginia, Colorado, Connecticut, and most other states. Describe how consumers can appeal if you deny their request.
  7. Include a "Do Not Sell" mechanism — Required in California and Texas. Best practice for all states even if not strictly required — regulators view this favorably.
  8. Disclose opt-out preference signal handling — State whether you honor GPC or other universal opt-out mechanisms. Required in California, Colorado, Connecticut, Texas, Montana, Delaware, and Oregon.
  9. Specify data retention periods — Required by California and Colorado. Best practice for all states, especially given Maryland's data minimization requirements.
  10. Add a "last updated" date — Required by most state laws. Review and update your policy at least annually or whenever your data practices change.

Common Mistakes That Trigger Enforcement

Based on recent enforcement actions in 2025 and 2026, these are the privacy policy mistakes most likely to attract regulatory attention:

Mistake 1: Making opt-out difficult or hidden

The Ford Motor Company case ($375,703 fine, March 2026) centered on Ford requiring email verification before processing opt-out requests. CalPrivacy ruled that any unnecessary friction in the opt-out process violates the CCPA. Your opt-out mechanism must be immediately accessible and functional without extra verification steps.

Mistake 2: Outsourcing opt-out to third parties

PlayOn Sports was fined $1.1 million partly for directing consumers to third-party advertising industry opt-out tools instead of providing its own mechanism. Your privacy policy must link to your own opt-out mechanism — not to the DAA or NAI websites.

Mistake 3: Generic or outdated privacy policies

Using a generic template that does not reflect your actual data practices is a violation. Your privacy policy must accurately describe what data you collect, how you use it, and who you share it with. Tractor Supply Company was fined $1.35 million in part for privacy notice deficiencies.

Mistake 4: Ignoring new state laws

With six new state laws taking effect in 2026 alone, businesses that drafted their privacy policy in 2023 or 2024 are likely missing required disclosures. Review your policy against all applicable states using our comparison tool.

Mistake 5: Not addressing sensitive data

Every state law treats sensitive personal data differently. If you collect health data, biometric data, precise geolocation, or data revealing racial or ethnic origin, religious beliefs, or sexual orientation, your privacy policy must specifically address how you handle it. Most states require opt-in consent for sensitive data processing. Review our sensitive data guide for specifics.

How to Structure Your Multi-State Privacy Policy

Rather than creating separate privacy policies for each state, most businesses use a single comprehensive policy with state-specific sections. Here is the recommended structure:

  1. Introduction — Who you are, what the policy covers, effective date
  2. Information we collect — Categories of personal data, organized by type
  3. How we use your information — Purposes of processing, per category
  4. How we share your information — Third-party categories and purposes
  5. Your privacy rights — Universal rights section plus state-specific subsections
  6. California residents — CCPA-specific disclosures (12-month look-back, financial incentives, authorized agents)
  7. Other state residents — Rights and disclosures specific to Virginia, Colorado, Connecticut, Texas, Oregon, Maryland, etc.
  8. Sensitive personal data — How you handle sensitive categories
  9. Data retention — Retention periods or criteria
  10. How to exercise your rights — Methods, response times, appeal process
  11. Children's privacy — Age verification, parental consent, COPPA compliance
  12. Changes to this policy — How you notify consumers of updates
  13. Contact information — Privacy team contact details

Frequently Asked Questions

Do I need a separate privacy policy for each state?

No. The best practice is a single comprehensive privacy policy that covers all applicable state laws, with state-specific sections where requirements differ. This approach is easier to maintain and ensures you do not miss any disclosures.

How often should I update my privacy policy?

At minimum, review your privacy policy annually and update it whenever your data practices change or new state laws take effect. With six new state privacy laws effective in 2026 and Maryland beginning enforcement in April 2026, most businesses should update their policies now.

What happens if my privacy policy is not compliant?

Depending on the state, penalties range from $2,500 to $7,500 per violation for California, up to $10,000 per violation in Connecticut, and $25,000 per violation under Maryland's MODPA. Enforcement is accelerating — California alone has issued more than $6 million in privacy fines in 2025 and 2026 combined. See our penalties tracker for the full list.

Does my small business need a privacy policy?

If you collect personal data from residents of any state with a privacy law and meet that state's applicability thresholds, yes. Many states have thresholds as low as 25,000 or 35,000 consumers — if you have a website with moderate traffic, you likely meet them. Use our compliance calculator to check which laws apply to your business.

Can I use a free privacy policy generator?

Generic privacy policy generators create baseline documents that may not include all state-specific requirements. If your business is subject to multiple state laws, a generic template will likely miss critical disclosures — especially California's 12-month look-back requirements, state-specific appeal processes, and opt-out preference signal disclosures. At minimum, use a generator as a starting point and customize it using the checklist above.

Last updated: March 29, 2026.

Disclaimer: PrivacyLawMap provides general information about US state privacy laws for educational purposes only. This is NOT legal advice. Privacy laws are complex and frequently amended. Consult with a qualified privacy attorney for advice specific to your business. PrivacyLawMap makes no warranties about the accuracy or completeness of this information.