If your business collects personal data from users in the United States, your compliance obligations changed on January 1, 2026. Three more states enacted comprehensive privacy laws, bringing the total to twenty. Several existing laws added new restrictions on minors’ data, biometric information, and automated decision-making. And enforcement agencies in California, Texas, and Connecticut are issuing fines that have moved from theoretical warnings to real financial penalties.
The problem is not just the number of laws. It is that each state has different thresholds, different consumer rights, different enforcement mechanisms, and different cure periods. A privacy policy that satisfies California’s requirements may leave gaps under Rhode Island’s law. An opt-out process that works for Virginia may fail Connecticut’s updated standards for minors.
At TOS Lawyer, we help businesses build privacy policies and data handling frameworks that work across multiple state jurisdictions at once. This guide breaks down what changed in 2026, which states matter most, and what your business needs to do now.
1. Twenty States Now Have Comprehensive Privacy Laws
As of January 2026, twenty US states have enacted comprehensive consumer data privacy laws. There is still no federal privacy law, which means each state sets its own rules for how businesses must collect, process, store, and delete personal data.
The states with active comprehensive privacy laws in 2026 are California (CCPA/CPRA), Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Texas, Montana, Oregon, Delaware, New Hampshire, New Jersey, Nebraska, Kentucky, Maryland, Minnesota, Rhode Island, and Florida (with a narrower scope than others). Arkansas joins mid-year with a July 1 effective date.
If your website, app, or SaaS platform serves customers in more than one state, you likely fall under multiple laws simultaneously. A single privacy policy needs to address all of them.
2. New Laws That Took Effect on January 1, 2026
Three new comprehensive privacy laws became enforceable at the start of the year: Indiana (SB 5), Kentucky (HB 15), and Rhode Island (HB 7787/SB 2500). All three follow the general template established by Virginia’s Consumer Data Protection Act, but each has notable differences businesses should understand.
Indiana’s Consumer Data Protection Act applies to for-profit businesses that control or process personal data of at least 100,000 Indiana residents, or that derive more than 50% of gross revenue from selling the data of 25,000 or more consumers. The law requires clear privacy policies, opt-in consent for sensitive data processing, and a consumer appeals process.
Kentucky’s law was amended before it even took effect (via HB 473), adjusting healthcare data exemptions and clarifying when data protection assessments are required for profiling activities.
Rhode Island stands out for two reasons. First, its applicability thresholds are significantly lower than most states: the law covers entities that process data of just 35,000 consumers, or 10,000 consumers if more than 20% of revenue comes from data sales. Second, Rhode Island provides no cure period. Unlike Indiana and Kentucky, businesses face immediate enforcement action for violations without an opportunity to fix the problem first.
3. Mid-Year 2026 Changes: Connecticut, Arkansas, Utah, and California
The compliance calendar does not stop in January. Several important changes take effect mid-year.
Connecticut’s privacy law receives significant amendments on July 1, 2026, tightening protections for minors’ data and adding age-appropriate design code requirements for online services likely to be accessed by children. If your platform has any user base under 18, Connecticut’s updated rules now require proactive design changes, not just policy language.
Arkansas activates its comprehensive privacy law on July 1, and Utah implements new amendments on the same date. Both add to the growing list of states requiring businesses to honor consumer data rights requests, maintain transparent privacy policies, and conduct data protection assessments for high-risk processing activities.
California continues to expand its regulatory framework. On August 1, new data broker registration requirements under SB 361 take effect, mandating detailed disclosures about what personal data brokers collect, whether that data is sold to government entities, foreign actors, or generative AI developers, and requiring brokers to process opt-out requests through the California Privacy Protection Agency’s deletion mechanism within 45 days.
4. The Global Privacy Control Is No Longer Optional
One of the most operationally significant developments in 2026 is the expansion of Universal Opt-Out Mechanism (UOOM) requirements. Eleven states now require websites to recognize and honor the Global Privacy Control (GPC) signal. Those states include California, Colorado, Connecticut, Delaware, Maryland, Minnesota, Montana, New Hampshire, New Jersey, Oregon, and Texas.
When a user’s browser sends a GPC signal, your website must treat it as a valid opt-out request for the sale of personal data and for targeted advertising. If your site ignores GPC signals, you are in violation in every one of those eleven states. This is not a theoretical risk. California’s Attorney General and the CPPA have already issued enforcement actions against businesses that failed to honor GPC.
For SaaS companies and e-commerce platforms, implementing GPC recognition requires both technical changes to your consent management platform and legal updates to your privacy policy to disclose how your site responds to browser-based opt-out signals.
5. Minors’ Data: The Fastest-Moving Area of State Privacy Law
If your platform is accessible to users under 18, the 2026 regulatory landscape is shifting fast. Multiple states have added or strengthened protections specifically for minors’ personal data.
Oregon now prohibits the sale of personal data when a controller has actual knowledge, or willfully disregards knowledge, that the consumer is under 16. Oregon also restricts the sale of precise geolocation data within a 1,750-foot radius for any user.
Nebraska’s Age-Appropriate Design Code (LB 504) took effect January 1, applying to online services that cannot reasonably conclude fewer than 2% of their users are minors. Connecticut and Maryland have added similar age-appropriate design code requirements.
Texas enacted the Responsible Artificial Intelligence Governance Act (HB 149), which requires age ratings, parental consent mechanisms, and data minimization for apps targeting minors, while also applying existing privacy requirements to data collected or processed by AI systems.
The trend is clear: states are treating children’s data as a separate compliance category with stricter consent requirements, design obligations, and enforcement consequences than general consumer data.
6. Enforcement Is Real and Escalating
State privacy law enforcement in 2026 has moved well beyond warning letters. California, Texas, and Connecticut are leading enforcement actions, with multi-million dollar penalties now established as precedent.
California’s enforcement has been the most aggressive. The CPPA and the state Attorney General have pursued actions against companies that failed to honor opt-out requests, did not respond to consumer deletion requests within the required timeframe, maintained privacy policies that contradicted actual data handling practices, and ignored GPC signals.
Texas has used its broad enforcement authority under the Texas Data Privacy and Security Act to target companies that process biometric data without consent. Connecticut is enforcing its updated minor data protections with a focus on social media and edtech platforms.
For businesses operating across multiple states, the enforcement risk is multiplicative. A single privacy policy failure can trigger violations in every state where your users reside.
7. What Your Privacy Policy Must Address in 2026
A compliant privacy policy in 2026 needs to cover significantly more ground than a CCPA-only policy written in 2020. At minimum, your policy must disclose the categories of personal data you collect and the purposes for each, whether you sell personal data or use it for targeted advertising (and how users can opt out), how you handle sensitive data categories (health, biometric, precise geolocation, financial, minors’ data), your response to Universal Opt-Out Mechanisms like GPC, the consumer rights available in each applicable state (access, deletion, correction, portability, opt-out), your data retention periods and deletion procedures, and whether personal data is shared with third parties, including government entities, foreign actors, or AI developers.
A generic, template-based privacy policy will not satisfy the specific disclosure requirements that vary across twenty different state laws. If your business serves customers nationwide, your privacy policy needs to account for the strictest requirements across all applicable jurisdictions. A technology lawyer who understands both the legal requirements and the technical implementation can build a policy framework that covers your obligations across every state where your users are located.
8. Building a Multi-State Compliance Framework
Treating compliance as a state-by-state exercise is not sustainable at twenty states. The businesses that manage this effectively are building unified compliance frameworks based on the strictest applicable standard, then making state-specific adjustments where necessary.
Start with these operational priorities. Implement GPC recognition across your website and app. This satisfies requirements in eleven states and signals good faith to regulators everywhere else. Audit your consent flows for sensitive data. Most states require opt-in consent for health data, biometric data, precise geolocation, and minors’ data. A single consent mechanism that covers all sensitive categories is more reliable than separate flows for each state. Update your data subject request process. Every state with a comprehensive privacy law gives consumers the right to access, delete, and opt out. Your process should handle requests from any state within the shortest applicable deadline (typically 45 days, but Rhode Island and some others may have tighter windows). Conduct data protection assessments. California’s new regulations require mandatory risk assessments for high-risk processing activities, with initial assessments due by April 1, 2028. Starting now gives you a head start and prepares you for other states that are adopting similar requirements. Document everything. When enforcement actions hit, the first thing regulators request is documentation of your compliance program. Policies, training records, consent logs, DPA completion dates, and data mapping are your primary defense.
Frequently Asked Questions
How many US states have privacy laws in 2026?
Twenty states have comprehensive consumer data privacy laws in effect as of 2026, with Arkansas joining mid-year on July 1. Florida’s law has a narrower scope than the others. There is still no federal comprehensive privacy law, so businesses must comply with each applicable state law individually.
Does my business need to comply with all twenty state privacy laws?
You must comply with the privacy laws of every state where your users or customers reside, provided your business meets that state’s applicability thresholds. If you operate a website, app, or SaaS platform accessible nationwide, you likely trigger obligations in most or all of these states. The most practical approach is building a compliance framework based on the strictest requirements and making state-specific adjustments where needed.
What is the Global Privacy Control and do I have to honor it?
The Global Privacy Control (GPC) is a browser-based signal that communicates a user’s opt-out preference for the sale of personal data and targeted advertising. As of 2026, eleven states legally require businesses to recognize and honor GPC signals, including California, Colorado, Texas, and Connecticut. Ignoring GPC in these states is a direct compliance violation.
What happens if I violate a state privacy law?
Penalties vary by state. California can impose fines of $2,500 per unintentional violation and $7,500 per intentional violation, with no cap on total penalties. Texas has imposed multi-million dollar settlements. Rhode Island offers no cure period, meaning enforcement begins immediately upon discovery of a violation. Most other states provide a 30 to 60-day cure period before penalties apply, but that window is shrinking as more states follow Rhode Island’s approach.
Can I use a template privacy policy to cover all twenty states?
A template will not cover the specific disclosure and operational requirements that vary across twenty different state laws. Each state has different thresholds, different consumer rights categories, and different rules for sensitive data. A compliant privacy policy in 2026 must be tailored to your business operations, your data practices, and the specific states where your users are located.
Twenty state privacy laws create twenty different sets of obligations for your business. If your privacy policy has not been updated to reflect the 2026 landscape, or if you are unsure whether your data practices satisfy the requirements in every state where you operate, contact Hansen Tong at TOS Lawyer for a compliance review by a technology lawyer who builds privacy frameworks for digital businesses.