Quick answer: The US has no federal privacy law, but 19 states have enacted comprehensive privacy legislation as of 2026. Beyond California's CCPA/CPRA, Virginia, Colorado, Connecticut, Utah, and many others now have active privacy laws — each with unique requirements. If your website serves US users, you likely need to comply with multiple state laws simultaneously.
The US Privacy Patchwork: What Happened?
In the absence of a federal privacy law, US states have been passing their own legislation at an accelerating pace. What started with California's CCPA in 2018 has become a patchwork of state-level laws that collectively cover a significant portion of the US population. For businesses, this means navigating different consent models, consumer rights, and enforcement mechanisms depending on where their users are located.
State Privacy Laws: Complete Comparison Table
| State | Law | Effective | Consent Model | Private Right of Action | Key Feature |
|---|---|---|---|---|---|
| California | CCPA/CPRA | Jan 2020 / Jan 2023 | Opt-out | Yes (data breaches) | Broadest scope; CPPA enforcement |
| Virginia | VCDPA | Jan 2023 | Opt-out | No | GDPR-inspired; no private right of action |
| Colorado | CPA | Jul 2023 | Opt-out | No | Universal opt-out mechanism required |
| Connecticut | CTDPA | Jul 2023 | Opt-out | No | Covers loyalty programs; AG enforcement |
| Utah | UCPA | Dec 2023 | Opt-out | No | Most business-friendly; high thresholds |
| Texas | TDPSA | Jul 2024 | Opt-out | No | No revenue threshold; applies broadly |
| Oregon | OCPA | Jul 2024 | Opt-out | No | Covers nonprofits; employee data included |
| Montana | MCDPA | Oct 2024 | Opt-out | No | Lowest threshold: 50K consumers |
| Iowa | ICDPA | Jan 2025 | Opt-out | No | 90-day cure period |
| Delaware | DPDPA | Jan 2025 | Opt-out | No | Lowest threshold tied to data volume |
| New Hampshire | NHPA | Jan 2025 | Opt-out | No | Modelled after Connecticut CTDPA |
| New Jersey | NJDPA | Jan 2025 | Opt-out | No | Broad definition of "sale" |
| Nebraska | NDPA | Jan 2025 | Opt-out | No | No revenue/consumer threshold |
| Tennessee | TIPA | Jul 2025 | Opt-out | No | Affirmative defense for privacy programs |
| Minnesota | MPDPA | Jul 2025 | Opt-out | No | Includes profiling transparency |
| Maryland | MODPA | Oct 2025 | Opt-in for sensitive | No | Strictest: requires data minimization by default |
| Indiana | INCDPA | Jan 2026 | Opt-out | No | Standard VCDPA-style law |
| Kentucky | KCDPA | Jan 2026 | Opt-out | No | 60-day cure period |
| Rhode Island | RIDPA | Jan 2026 | Opt-out | No | Broad scope, includes small businesses |
What These Laws Have in Common
Despite differences, most US state privacy laws share a common DNA inspired by the CCPA and VCDPA:
- Opt-Out for Targeted Advertising: All laws require a mechanism for consumers to opt out of targeted ads and the "sale" of personal data
- Right to Access: Consumers can request a copy of their personal data
- Right to Delete: Consumers can request deletion of their data
- Right to Correct: Most laws include a correction right
- Non-Discrimination: Businesses cannot discriminate against consumers who exercise their rights
- Privacy Policy: All require a publicly available privacy policy disclosing data practices
- Data Protection Assessments: Required for high-risk processing (targeted ads, profiling, sensitive data)
Key Differences That Matter
1. Applicability Thresholds
Each state defines different thresholds for which businesses must comply:
- California (CCPA): $25M revenue, OR 100K consumers, OR 50%+ revenue from selling data
- Virginia (VCDPA): 100K consumers OR 25K consumers + 50%+ revenue from data sales
- Texas (TDPSA): No revenue threshold — applies to any business not classified as "small"
- Nebraska (NDPA): No threshold at all — applies to all businesses handling personal data
- Montana (MCDPA): Just 50K consumers — the lowest consumer threshold
2. Sensitive Data: Opt-In vs Opt-Out
Sensitive data handling is where the biggest divergence occurs:
- Opt-in consent required: Virginia, Colorado, Connecticut, Oregon, Maryland, Minnesota, and most newer laws
- Opt-out sufficient: Utah, Iowa (more business-friendly approach)
- California: Consumer can limit use of sensitive data but initial processing is allowed without prior opt-in
Sensitive data typically includes: race, ethnicity, religion, health data, sexual orientation, citizenship status, genetic/biometric data, precise geolocation, and children's data.
3. Universal Opt-Out Mechanisms
Several states now require businesses to honor browser-based opt-out signals like the Global Privacy Control (GPC):
- Required: California, Colorado, Connecticut, Texas, Montana, Delaware, Oregon, Minnesota, Maryland, Nebraska
- Not required: Virginia, Utah, Iowa, Indiana, Kentucky
This means your cookie consent banner and consent management platform should detect and respect GPC signals. Check with ourCMP comparison guide if your CMP supports this.
4. Cure Periods
Some states give businesses time to fix violations before facing penalties:
- No cure period: California (CPRA), Colorado (after Jan 2025)
- 30 days: Virginia, Connecticut, Texas, Oregon, Montana, Delaware
- 60 days: Kentucky, New Hampshire
- 90 days: Iowa (most generous)
How US State Laws Compare to GDPR
| Feature | GDPR | US State Laws (Typical) |
|---|---|---|
| Consent Model | Opt-in by default | Opt-out (except for sensitive data) |
| Scope | All data processing | Usually above revenue/consumer thresholds |
| DPO Required | In certain cases | Not required by any state |
| Fines | Up to €20M or 4% of revenue | Typically $7,500–$25,000 per violation |
| Enforcement | Data Protection Authorities | State Attorney General (most states) |
| Cookie Consent | Prior opt-in consent | Opt-out for targeted advertising |
| Data Portability | Yes | Most states include this right |
| Right to Delete | Yes | Yes (all states) |
Practical Compliance Strategy
Given the patchwork nature of US state laws, the most practical approach is to comply with the strictest standard and apply it nationally:
- Implement a universal opt-out mechanism that honors GPC signals (covers California, Colorado, Texas, and all states trending this way)
- Get opt-in consent for sensitive data (covers Virginia, Colorado, Connecticut, Maryland, and the majority of states)
- Publish a comprehensive privacy policy disclosing data practices, consumer rights by state, and categories of data sold/shared
- Add a "Do Not Sell My Personal Information" link visible on your homepage (required by CCPA, expected by most states)
- Implement data access and deletion workflows — standardize across all states
- Conduct data protection assessments for targeted advertising and profiling activities
- Audit third-party vendors — use our vendor risk assessment guide to ensure your data processors comply
Frequently Asked Questions
Do US state privacy laws apply to my website if I'm based in Europe?
Yes. These laws apply based on where the consumer is located, not where the business is based. If your website processes data of residents in any of these states, the corresponding law applies. This is similar to GDPR's extraterritorial scope.
Is a federal US privacy law coming?
The American Privacy Rights Act (APRA) has been proposed multiple times but has not passed as of 2026. Until a federal law is enacted, the state-level patchwork will continue to grow. Preparing for the strictest state standards is the safest strategy.
What is Global Privacy Control (GPC)?
GPC is a browser signal (similar to Do Not Track, but legally binding in some states) that tells websites the user does not want their data sold or shared. California, Colorado, and Texas explicitly require honoring GPC. It is implemented in Firefox, Brave, and DuckDuckGo by default.
How do I know which state laws apply to my website?
Use PrivacyChecker to scan your website. It detects cookies, trackers, consent mechanisms, and third-party data sharing practices, helping you identify compliance gaps across all applicable regulations — including US state laws.