The United States does not have a federal comprehensive privacy law. What it has instead is twenty state laws — passed at different times, shaped by different legislative priorities, and enforced by different agencies with different expectations. For companies operating nationally, this patchwork creates compliance complexity that cannot be solved by any single program design. Understanding what each state actually requires — not just the talking points, but the specific operational obligations — is the starting point for managing the exposure.
This roundup covers the twenty states with comprehensive consumer privacy laws currently in effect or taking effect through 2026. We address the key provisions that distinguish each law, the industries and company sizes most affected, and the enforcement posture each state has signaled.
California remains the most consequential state privacy law in the United States by nearly every measure: the size of the regulated market, the breadth of its rights framework, the robustness of its enforcement agency, and the volume of private litigation it has generated. The California Privacy Rights Act, which amended and expanded CCPA effective January 1, 2023, added several features that distinguish California from every other state.
The California Privacy Protection Agency has independent rulemaking and enforcement authority. It has issued regulations on automated decision-making, cybersecurity audits, and risk assessments — areas where most states have no regulatory infrastructure at all. CPRA's private right of action, while limited to data breaches, has generated substantial litigation. And the law's "sensitive personal information" category, which includes precise geolocation, health data, and biometric data, carries additional restrictions that most state laws handle less specifically.
California's extraterritorial reach is significant. Any company with California customers meeting the revenue or data processing thresholds must comply, regardless of where the company is incorporated or headquartered.
Four states followed California with comprehensive privacy laws that took effect in 2023: Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and Utah (UCPA). These laws share a common architecture that differs from CCPA in important ways.
Unlike CCPA, these laws do not have a private right of action. Enforcement is exclusively through the state attorney general. The practical implication is that enforcement risk is lower in volume but concentrated in high-profile investigations rather than dispersed through class action litigation. Colorado's attorney general has been the most active of this group, issuing substantive guidance on data protection assessments and targeted advertising consent requirements.
Virginia's law is notable for its relatively company-friendly provisions: a 30-day cure period for violations, no private right of action, and thresholds that exempt smaller companies. Colorado has no cure period and has issued guidance suggesting a more aggressive enforcement posture. Connecticut's law includes provisions on dark patterns — interface designs that manipulate users into consenting to data collection — that go beyond most other state frameworks.
Utah's law is the most limited of the four: it applies only to controllers processing data from 100,000 consumers annually or deriving revenue from the sale of personal data from 25,000+ consumers. It is the only state law with no cure period and no data protection assessment requirement, though enforcement capacity at Utah's attorney general office has historically been limited.
Between 2024 and 2026, nine additional states enacted comprehensive privacy laws: Montana, Iowa, Indiana, Tennessee, Oregon, Texas, Florida, Maryland, and New Hampshire. This wave brought the total to fifteen states, each with variations that require careful analysis.
Oregon's law is notable for several reasons. It covers nonprofit organizations — a category most state laws explicitly exclude. It has broad sensitive data provisions including immigration status. And it requires data minimization and purpose limitation in ways that are more prescriptive than most other state frameworks.
Texas passed a comprehensive privacy law in 2023 effective July 2024. The Texas Data Privacy and Security Act applies to companies that conduct business in Texas or produce products targeted to Texas residents, with no revenue threshold — a broader reach than California's law. Texas has no private right of action but its attorney general has signaled aggressive enforcement intentions, particularly regarding healthcare data and children's privacy.
Florida's law, by contrast, is notably narrow: it applies only to controllers with annual revenue exceeding $1 billion, which limits its scope to large corporations. Florida has effectively created a law that regulates a small number of the largest companies operating in the state while leaving the broader market unaddressed.
Maryland's Online Data Privacy Act, effective October 2025, is among the most consumer-protective state laws enacted to date. It prohibits the sale of sensitive data entirely — not just requiring consent, but banning the practice outright. It applies a data minimization standard that requires companies to collect only data "reasonably necessary" for their stated purposes. And it covers minors' data with particular attention to targeted advertising.
Five more states — New Jersey, Nebraska, Minnesota, Rhode Island, and Kentucky — have enacted comprehensive privacy laws taking effect between 2025 and 2026. Minnesota's law, effective July 2025, is particularly noteworthy for its detailed provisions on profiling, automated decision-making, and the right to explanation for consequential decisions — provisions that go significantly beyond most other state frameworks.
New Jersey's law took effect January 15, 2025. It applies to controllers processing data from 100,000+ New Jersey consumers or 25,000+ consumers while deriving revenue from data sales. New Jersey's attorney general has been active in technology and privacy enforcement, suggesting meaningful enforcement capacity.
For privacy programs and legal teams, the twenty-state framework creates several specific operational challenges that cannot be addressed by California compliance alone.
Universal opt-out mechanisms are now legally required in Colorado, Connecticut, Oregon, Texas, Montana, and several other states. These mechanisms must recognize signals like the Global Privacy Control (GPC) browser signal. Companies that haven't implemented GPC recognition are potentially out of compliance in multiple states simultaneously.
Data protection assessments — also called privacy impact assessments or data protection impact assessments — are required in at least twelve states for high-risk processing activities including targeted advertising, sale of personal data, and certain profiling activities. These assessments must be documented and, in some states, made available to the attorney general on request.
Children's privacy provisions vary significantly across states but universally require heightened attention. Several states have enacted separate children's online safety laws (the California Age-Appropriate Design Code, Maryland's Kids Code) that impose requirements beyond the comprehensive privacy frameworks.
The enforcement picture is uneven. California's CPPA has the most resources and regulatory ambition. Colorado, Texas, Oregon, and New Jersey have demonstrated meaningful enforcement capacity. Many other states have limited dedicated privacy enforcement infrastructure. But as the legal landscape matures and enforcement patterns emerge, companies that have built defensible programs based on the full multi-state framework will be better positioned than those that have calibrated only to the most-enforced jurisdictions.
