The US State Privacy Law Tracker for 2026: Twenty Laws, One Compliance Baseline

As of April 2026, twenty US states have comprehensive privacy laws in effect. Twelve of those states require businesses to honor Global Privacy Control as a Universal Opt-Out Mechanism. California, Colorado, and Connecticut are running a coordinated enforcement sweep against non-compliant sites. One state (Maryland) bans the sale of sensitive personal information outright. One state (Texas) has no revenue threshold for applicability. And the long-anticipated federal privacy law, the American Privacy Rights Act, expired without a vote at the end of the 118th Congress.

This post is the working map of the US state privacy landscape as of April 2026. It is built for compliance officers and privacy engineers at businesses that operate nationally and need a realistic baseline for which laws apply, which rights to grant, and which signals to honor. It does not replace state-by-state legal analysis for specific compliance decisions; it is the 80% operational summary that gets you to the right questions.

TL;DR. Twenty active state privacy laws in April 2026, with three more effective during 2026 (Indiana, Kentucky, Rhode Island joined January 1, 2026). Only California grants a private right of action, and only for data breaches, not general violations. Twelve states (California, Colorado, Connecticut, Delaware, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Texas) require honoring Global Privacy Control. Texas and Nebraska have no revenue or volume threshold. Florida has an effectively unreachable $1B threshold. Maryland has the strictest data minimization language in the US and bans SPI sale. The compliance baseline for a business operating nationally: recognize GPC universally, offer all consumer rights, obtain opt-in consent for sensitive PI, and contract carefully with ad-tech vendors.

The twenty active state laws

Status as of April 17, 2026:

#	State	Law	Effective	UOOM / GPC	Cure period
1	California	CCPA as amended by CPRA	Jan 1, 2020 / Jan 1, 2023	Yes	Discretionary only
2	Virginia	VCDPA	Jan 1, 2023	No	30 days (no sunset)
3	Colorado	CPA	Jul 1, 2023	Yes	60 days (sunset Jan 1, 2025)
4	Connecticut	CTDPA	Jul 1, 2023	Yes	60 days (sunset Jan 1, 2025)
5	Utah	UCPA	Dec 31, 2023	No	30 days
6	Texas	TDPSA	Jul 1, 2024	Yes (as of Jan 1, 2025)	30 days
7	Oregon	OCPA	Jul 1, 2024 (nonprofits Jul 1, 2025)	Yes (as of Jan 1, 2026)	30 days (sunset Jan 1, 2026)
8	Montana	MCDPA	Oct 1, 2024	Yes	60 days (sunset Apr 1, 2026)
9	Florida	FDBR	Jul 1, 2024	No	45 days
10	Iowa	ICDPA	Jan 1, 2025	No	90 days
11	Delaware	DPDPA	Jan 1, 2025	Yes	60 days (sunset Jan 1, 2026)
12	New Hampshire	NH SB 255	Jan 1, 2025	Yes	60 days (first year only)
13	Nebraska	NDPA	Jan 1, 2025	Yes	30 days (no sunset)
14	New Jersey	NJ SB 332	Jan 15, 2025	Yes	30 days (sunset Jul 15, 2026)
15	Tennessee	TIPA	Jul 1, 2025	No	60 days (no sunset)
16	Minnesota	MCDPA	Jul 31, 2025	Yes	30 days (sunset Jan 31, 2026)
17	Maryland	MODPA	Oct 1, 2025 (processing post-Apr 1, 2026)	Yes	60 days (sunset Apr 1, 2027)
18	Indiana	ICDPA	Jan 1, 2026	No	30 days (no sunset)
19	Kentucky	KCDPA	Jan 1, 2026 (DPAs Jun 1, 2026)	No	30 days
20	Rhode Island	RIDTPPA	Jan 1, 2026	No	None

Watch list:

• Oklahoma Consumer Privacy Law (SB 546) was signed March 20, 2026. Effective date pending clarification.
• Arkansas privacy law referenced in trackers for a July 1, 2026 effective date; verify statute text before relying.

Primary sources for the table: IAPP US State Privacy Tracker, MultiState privacy tracker, and Bloomberg Law's state tracker.

The California baseline

California is the reference case, both in ambition and in enforcement. The statute is Cal. Civ. Code §§ 1798.100 et seq., as amended by CPRA. Enforcement by the California Privacy Protection Agency (CPPA) since July 1, 2023, alongside the Attorney General.

Distinguishing features:

• Covers employees, job applicants, and B2B contacts (every other state covers only consumers)
• Right to limit use of sensitive personal information (SPI)
• Private right of action for data breaches specifically, under § 1798.150 (not for general violations)
• Cure period eliminated for most post-CPRA violations
• Comprehensive regulations at 11 CCR §§ 7000 et seq.

The full California operational guide is in the CCPA Cookie Banner Requirements pillar and the CCPA vs. CPRA diff. The 2025-2026 enforcement record, most instructive of the current enforcement posture, is in The Honda, Ford, and Disney Cases.

The second-generation laws (Virginia, Colorado, Connecticut, Utah)

These four laws, enacted between 2021 and 2022 and taking effect through 2023, established the post-CCPA template that most subsequent states followed.

Virginia CDPA. Effective January 1, 2023. AG-only enforcement. 30-day cure period that has no sunset. No UOOM requirement. Notable for being the first non-California state law and for setting a template other states extended.

Colorado Privacy Act (CPA). Effective July 1, 2023. Colorado was the first state to require honoring a Universal Opt-Out Mechanism, with the Colorado AG approving GPC as the first UOOM under CPA regulations 4 CCR 904-3, Part 5. Enforcement by the AG and District Attorneys. The 60-day cure period sunsetted January 1, 2025.

Connecticut CTDPA. Effective July 1, 2023. UOOM requirement phased in January 1, 2025. Enforcement by the AG. Heightened teen protections under SB 3 amendments (effective October 2024).

Utah UCPA. Effective December 31, 2023. The most business-friendly of this cohort: narrower applicability (requires $25M revenue plus 100K consumer threshold), no UOOM requirement, 30-day cure period. Enforcement through the Division of Consumer Protection.

The 2024-2025 expansion (Texas, Oregon, Montana, Florida, and more)

2024 and 2025 saw the largest wave of new state laws. Several notable additions to the pattern:

Texas TDPSA is the most operationally important new law, and it's the one most compliance teams underestimate. Texas has no revenue or volume threshold. The law applies to any business that "conducts business in Texas or produces products or services consumed by Texas residents" and processes personal data, unless the business meets the SBA definition of a small business. Even small businesses must obtain consent to sell sensitive PI. Combined with the state's AG Ken Paxton's active enforcement posture, Texas is a jurisdiction that reaches more businesses than any other state. UOOM requirement effective January 1, 2025 per § 541.055(e).

Nebraska NDPA uses the same threshold-less applicability model as Texas. Effective January 1, 2025.

Florida FDBR has the opposite pattern: an extremely high applicability threshold. Businesses are in scope only if they have $1B+ annual gross revenue AND derive 50%+ of revenue from online ads, OR operate a consumer smart speaker with virtual assistant, OR operate an app store with 250,000+ apps. The effective universe is approximately ten companies. Effective July 1, 2024.

Oregon OCPA extends similar rights and adds the UOOM requirement as of January 1, 2026 under 2025 amendments (HB 2008). The amendments also prohibit the sale of personal data of known under-16 consumers and add geolocation-sale restrictions (within 1,750 feet radius).

Montana MCDPA effective October 2024, amended October 2025 by SB 297. UOOM requirement in effect.

The 2025-2026 additions: Delaware, New Hampshire, Nebraska, New Jersey, Tennessee, Minnesota, Maryland, Indiana, Kentucky, Rhode Island

Twelve additional states joined between January 2025 and January 2026. The operationally distinctive ones:

Maryland MODPA. Effective October 1, 2025 (applies to processing post-April 1, 2026). The strictest data minimization language in US law: collection must be "reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer." Maryland is the first state to ban the sale of sensitive personal information outright. If you process sensitive PI and operate in Maryland, you cannot monetize that data via sale, regardless of consent.

New Jersey SB 332. Effective January 15, 2025. First state to require opt-in consent to process data of consumers aged 13 to 17 for targeted advertising, sale, or profiling. The age-related opt-in requirement expands on COPPA (which covers under-13s) and aligns with similar provisions in Connecticut and Maryland.

Minnesota MCDPA. Effective July 31, 2025. UOOM requirement. The 30-day cure period sunset January 31, 2026.

Tennessee TIPA. Effective July 1, 2025. Notable for a unique NIST-framework safe harbor: businesses that align their privacy program with the NIST Privacy Framework get affirmative defenses against certain enforcement actions. No UOOM requirement.

Indiana ICDPA. Effective January 1, 2026. AG-only enforcement. 30-day cure period that does not sunset. No UOOM requirement.

Kentucky KCDPA. Effective January 1, 2026 (DPAs and risk assessments from June 1, 2026). AG-only enforcement.

Rhode Island RIDTPPA. Effective January 1, 2026. No cure period. Low thresholds (35,000 consumers, or 10,000 consumers plus 20% revenue from sale). The combination of low thresholds and no cure period makes Rhode Island an outlier.

The UOOM question: twelve states and counting

Global Privacy Control is now the near-de-facto Universal Opt-Out Mechanism across the states that require one. The current list:

State	Effective	Authority
California	2023 (formalized)	11 CCR § 7025
Colorado	Jul 2024	4 CCR 904-3, Part 5 (CO AG approved)
Connecticut	Jan 2025	AG guidance under CTDPA
Texas	Jan 2025	TDPSA § 541.055(e)
Delaware	Jan 2025	DPDPA
New Hampshire	Jan 2025	NH SB 255
Nebraska	Jan 2025	NDPA
New Jersey	Jan 2025	NJ SB 332
Minnesota	Jul 2025	MCDPA
Maryland	Oct 2025	MODPA
Montana	Oct 2024	MCDPA as amended
Oregon	Jan 2026	OCPA 2025 amendments

On September 9, 2025, the California Privacy Protection Agency, Colorado Attorney General, and Connecticut Attorney General announced a coordinated investigative sweep of companies for non-compliance with opt-out preference signals. This is the first cross-state coordinated action on a specific privacy-technical issue. The implication: UOOM compliance is now a multi-state enforcement priority, not a state-by-state problem.

The GPC compliance guide has the implementation detail: HTTP header, DOM property, middleware patterns across common frameworks, and the specific requirements of California's § 7025(c)(6) display rule effective January 1, 2026.

Cross-state differences that matter

For a business operating nationally, the differences that affect consent architecture:

Opt-in consent for sensitive personal information

All states except California, Utah, and Iowa require opt-in consent to process sensitive personal information. Iowa is the outlier that requires only clear notice and opt-out for SPI. Maryland goes further and prohibits sale of SPI outright, making consent irrelevant in that context.

The operational pattern for most states: a second layer in the consent flow that requires explicit opt-in for SPI categories (precise geolocation, racial or ethnic origin, religious beliefs, biometric identifiers, health data, sexual orientation, genetic data). California uses a different mechanism (the "Limit the Use of Sensitive Personal Information" right).

Employee and job-applicant data

California is the only state whose comprehensive law applies to employees, job applicants, and B2B contacts. All nineteen other laws are consumer-only. The Tractor Supply enforcement (September 2025) was the first reported CCPA action specifically addressing job-applicant rights.

Private right of action

Only California provides a PRA, and only under § 1798.150 for certain data breaches (not for general privacy violations). Every other state reserves enforcement to the AG, DOJ, or a dedicated privacy regulator.

Cure periods

Most states started with cure periods (typically 30-60 days) that have either sunsetted or are about to. The "come back in 30 days" strategy that worked in 2023 generally doesn't work in 2026. California's cure period is fully discretionary. Rhode Island has no cure period at all. Virginia and Utah kept theirs.

Children and teens

The patchwork of age-related add-ons is growing:

• California SB 976 (effective January 1, 2025; partial Ninth Circuit injunction September 2025): addictive-feed restrictions for minors.
• New Jersey SB 332: opt-in consent for 13-17 for targeted ads, sale, profiling.
• Connecticut SB 3 (October 2024): heightened teen protections.
• Delaware DPDPA: opt-in for known minors' sensitive data.
• Maryland MODPA: bans targeted advertising to consumers known to be under 18.
• Oregon HB 2008 (2025): prohibits sale of under-16 data.
• Florida FDBR: specific children's data provisions.

The federal picture

The American Privacy Rights Act (APRA) was the most serious federal privacy legislation since 2018. Introduced April 2024 by Senator Cantwell (D-WA) and Representative McMorris Rodgers (R-WA), it combined civil rights protections, a private right of action, and preemption of state laws into a single framework. In June 2024, civil rights provisions were stripped in markup, support collapsed, and the markup was canceled. APRA expired at the end of the 118th Congress (January 2025) and has not been reintroduced as of April 2026.

The practical consequence: federal preemption is not on the near-term horizon. The state-by-state compliance matrix is the durable planning assumption through at least 2028.

FTC Section 5 remains the de facto federal backstop. The FTC uses unfair/deceptive practices authority to enforce against privacy representations, plus specific statutes (Health Breach Notification Rule, COPPA for under-13s). The Biden-era FTC was active; the 2025-2026 FTC has been less so, though specific enforcement continues.

The practical compliance baseline for a national business

For a business that operates in multiple states and wants a single compliance posture, the "highest common denominator" approach:

1. Honor Global Privacy Control universally.

Recognize the Sec-GPC: 1 header on the server and navigator.globalPrivacyControl on the client. Honor the signal as an opt-out of sale and sharing and targeted advertising. This satisfies the UOOM requirement in twelve states and is operationally cheaper than state-specific logic. The unified implementation guide has the code.

2. Expose the standard consumer rights.

Access, deletion, correction, portability, opt-out of sale/share/targeted advertising, and limit use of sensitive PI (California-style). Most states require most of these; exposing them universally means you satisfy each state's version without state-by-state product logic.

3. Obtain opt-in consent for sensitive personal information.

In all states except California, Utah, and Iowa, opt-in is required for SPI processing. In Maryland, sale of SPI is outright prohibited. Building opt-in consent into the flow universally is simpler than exempting three states.

4. Post a "Do Not Sell or Share My Personal Information" link and a "Limit the Use of Sensitive Personal Information" link, or the unified "Your Privacy Choices" link.

California-specific requirements under 11 CCR § 7013. The unified "Your Privacy Choices" link with the blue toggle icon satisfies both obligations and is the cleanest UX.

5. Respond to consumer rights requests within 45 days.

Most state laws allow 45 days with a 45-day extension for complex requests. Building the back-end to this SLA covers all twenty state laws.

6. Publish a transparent privacy policy.

Include processing purposes, PI categories, retention periods (CPRA-style proportionality), service-provider and third-party disclosures, rights and request mechanisms, and effective date. Update at least annually.

7. Contract carefully with ad-tech vendors.

CCPA's service-provider, contractor, and third-party contract requirements (post-CPRA) are the strictest. Tractor Supply's settlement (September 2025) specifically cited deficient ad-tech contracts as a finding. Using pre-2023 data processing addenda is an enforcement risk.

8. Treat COPPA and state-specific teen protections as separate obligations.

COPPA applies to under-13s federally. State laws layer on top: NJ requires opt-in for 13-17, MD prohibits targeted ads for under-18s known to be minors, OR prohibits sale of under-16 data. These are product-specific obligations; a single rule doesn't cover them all.

Where this goes from here

Three realistic trajectories for 2026-2027:

State law expansion continues. Ten to fifteen additional states likely pass comprehensive privacy laws over the next two years. The template is stabilizing (CCPA-Colorado hybrid with state-specific variations), which makes the operational surface for each new state smaller.

UOOM requirements become near-universal. The California-Colorado-Connecticut coordinated sweep signals that multi-state enforcement on GPC is now active. Expect more states to add UOOM requirements explicitly and existing state AGs to extend enforcement to businesses ignoring the signal.

Federal preemption stays stuck. APRA's collapse was due to bipartisan disagreement on civil rights and private right of action, neither of which is easier to resolve in 2026 than in 2024. A scaled-back federal law (privacy protections without civil rights or PRA) might pass, but full preemption is unlikely before 2028 at the earliest.

For privacy engineers, the implication is that the right operational posture is the CCPA-plus-GPC baseline, with state-specific exceptions handled at the margin. Building product logic for twenty state laws is not scalable; building logic for one baseline and exception flags for the edge cases is.

FAQ

Which states apply to my business?

Every state whose residents are consumers of your products or services, provided the state's applicability thresholds are met. For most state laws, the thresholds are either revenue-based ($25M typically), consumer-count-based (35,000 to 100,000 typically), or a combination. Texas and Nebraska have no thresholds. Florida requires $1B+ revenue. The specific threshold determination is per-state and worth confirming against the current statute text before relying.

Do I have to honor GPC for users outside UOOM states?

The regulatory obligation is limited to UOOM states. But the signal is clean, the operational cost of honoring it universally is low, and it's a defensible privacy posture. Most mature implementations honor GPC globally. Honoring it only for UOOM-state users is also defensible but requires state-scoped logic that adds complexity.

What's the quickest indicator that a state is active on enforcement?

Look at three things: whether the state has a dedicated privacy regulator (California CPPA is unique), whether the AG has a dedicated privacy enforcement team (Texas does, California does), and whether the AG has issued cookie or banner-related public statements in the past year. California, Colorado, Connecticut, and Texas are currently the most active.

How do I handle the "threshold-less" Texas law?

Assume you are in scope unless you fit the SBA small-business definition. Even small businesses must obtain consent to sell sensitive personal information under TDPSA. The operational simplicity is to treat Texas like California: apply the full compliance posture, honor GPC, expose consumer rights, contract carefully.

What is the status of the federal APRA?

Expired at the end of the 118th Congress (January 2025). Has not been reintroduced as of April 2026. Federal preemption is not on the near-term horizon; the state-by-state compliance matrix is the durable planning assumption.

Which state has the strictest privacy requirements overall?

Maryland MODPA (effective October 2025) is arguably the strictest, based on its "reasonably necessary and proportionate" data minimization language and its ban on sensitive PI sale. California has the most developed enforcement record and regulator expertise. The "strictest" question depends on which axis: statute text (Maryland), enforcement intensity (California), or applicability reach (Texas).

Do private rights of action exist outside California?

No. Only California provides a PRA, and only for certain data breaches under § 1798.150, not for general privacy violations. Every other state reserves enforcement to a government regulator.

What happens when a cure period sunsets?

The cure period is what lets a business "fix it" after receiving notice of a violation, without fine. When a cure period sunsets, the AG or regulator can move directly to enforcement, typically with civil penalties. Colorado's cure sunsetted January 1, 2025. Connecticut's sunsetted January 1, 2025. Delaware's sunsetted January 1, 2026. The regulatory pattern is clear: early-leniency provisions phase out.

Is a state's private right of action a real compliance risk?

For California, yes, but narrowly. The PRA is for data breaches involving specific categories of personal information and requires actual injury. It has generated meaningful litigation but not a flood of cases. For all other states, the AG is the enforcement pathway. Litigation risk from PRA is lower than the risk from regulator enforcement.

Where to go from here

If you are building a privacy compliance posture from scratch in 2026, start with the CCPA baseline, honor Global Privacy Control universally, obtain opt-in consent for sensitive personal information, and contract carefully with ad-tech vendors. That covers the meaningful obligations across all twenty state laws plus whatever passes in 2026-2027.

For the California specifics, see the CCPA Cookie Banner Requirements pillar. For the EU counterpart, see GDPR Cookie Consent in 2026. For GPC implementation across server frameworks, see the GPC compliance guide and the unified Consent Mode / GPC / GPP implementation.

If you want a practitioner's read on where your current implementation sits against the twenty-state matrix, Consenteo's team has implemented multi-state compliance architectures on 200+ corporate sites. Get in touch for a conversation.