Every State With a Privacy Law in 2026: What Rights Do You Actually Have?
For most of American history, there was no legal right to control what companies do with your personal data. That's changing — fast. As of May 2026, twenty states have comprehensive consumer privacy laws on the books, and more are in progress. But the laws vary significantly. Some give you strong, enforceable rights. Others are so watered-down they barely matter. This guide covers every state with an active privacy law, what rights each one gives you, and what you can do regardless of where you live.
The Current Landscape
The wave of state privacy legislation began with California's Consumer Privacy Act (CCPA) in 2020 and accelerated rapidly. Between 2023 and 2026, nineteen additional states enacted comprehensive privacy laws. There is still no federal privacy law — the American Privacy Rights Act (APRA) stalled in Congress in 2024 — which means your rights depend heavily on where you live.
Not all privacy laws are created equal. They vary on critical dimensions: whether they cover data sales, whether they require businesses to honor the Global Privacy Control (GPC) signal, whether they include a private right of action, and whether they protect biometric data. The table below provides a quick reference, followed by detailed breakdowns of each state.
Comparison Table: All 20 State Privacy Laws
| State | Law | Effective | Right to Delete | Opt Out of Sale | GPC Required | Private Right of Action |
|---|---|---|---|---|---|---|
| California | CCPA / CPRA | Jan 2020 / Jan 2023 | Yes | Yes | Yes | Limited (breach only) |
| Virginia | VCDPA | Jan 2023 | Yes | Yes | No | No |
| Colorado | CPA | Jul 2023 | Yes | Yes | Yes | No |
| Connecticut | CTDPA | Jul 2023 | Yes | Yes | Yes | No |
| Utah | UCPA | Dec 2023 | Yes | Yes | No | No |
| Iowa | ICDPA | Jan 2025 | Yes | Yes | No | No |
| Indiana | INCDPA | Jan 2026 | Yes | Yes | No | No |
| Tennessee | TIPA | Jul 2025 | Yes | Yes | No | No |
| Montana | MCDPA | Oct 2024 | Yes | Yes | Yes | No |
| Oregon | OCPA | Jul 2024 | Yes | Yes | Yes | No |
| Texas | TDPSA | Jul 2024 | Yes | Yes | Yes | No |
| Delaware | DPDPA | Jan 2025 | Yes | Yes | Yes | No |
| New Jersey | NJDPA | Jan 2025 | Yes | Yes | Yes | No |
| New Hampshire | NHDPA | Jan 2025 | Yes | Yes | Yes | No |
| Kentucky | KCDPA | Jan 2026 | Yes | Yes | No | No |
| Nebraska | NDPA | Jan 2025 | Yes | Yes | Yes | No |
| Rhode Island | RIDPA | Jan 2026 | Yes | Yes | No | No |
| Maryland | MODPA | Oct 2025 | Yes | Yes (sale banned for sensitive) | Yes | No |
| Minnesota | MCDPA | Jul 2025 | Yes | Yes | Yes | No |
| Pennsylvania | PDPA | Jul 2026 | Yes | Yes | Yes | No |
State-by-State Breakdown
California — CCPA / CPRA
Effective: January 1, 2020 (CCPA); January 1, 2023 (CPRA amendments)
California remains the gold standard for US consumer privacy rights. The CCPA, as amended by CPRA, gives residents the right to know what personal information businesses collect, the right to delete it, the right to opt out of the sale and sharing of data, the right to correct inaccuracies, and the right to limit the use of sensitive personal information. California is the only state with a dedicated enforcement agency — the California Privacy Protection Agency (CPPA) — and the only state with a centralized deletion portal (DROP). The law also requires businesses to honor the Global Privacy Control signal. California has a limited private right of action for data breaches.
Notable: California's Delete Act (SB 362) created the DROP platform, the first state-run data broker deletion tool. All data brokers operating in California must register with the state and honor DROP deletion requests.
Virginia — VCDPA
Effective: January 1, 2023
Virginia was the second state to pass a comprehensive privacy law. The VCDPA gives residents the right to access, correct, delete, and obtain a copy of their personal data, plus the right to opt out of data sales, targeted advertising, and profiling. Enforcement is handled exclusively by the Attorney General — there is no private right of action. The law does not require businesses to honor GPC signals, which is a notable gap. Virginia's law exempts employee data and has relatively high applicability thresholds (businesses processing data of 100,000+ consumers or 25,000+ consumers from data sales).
Colorado — CPA
Effective: July 1, 2023
The Colorado Privacy Act is one of the stronger state laws. It requires businesses to honor universal opt-out signals like GPC — making it one of the first states to mandate browser-level privacy controls. Colorado gives consumers the right to access, correct, delete, and port their data, plus the right to opt out of sales, targeted advertising, and certain profiling. The Colorado Attorney General has rulemaking authority, and the detailed regulations include specific requirements for consent mechanisms, dark pattern prohibitions, and data protection assessments for high-risk processing.
Connecticut — CTDPA
Effective: July 1, 2023
Connecticut's law is substantively similar to Colorado's and is considered one of the more consumer-friendly state privacy laws. It requires businesses to honor GPC signals, provides standard access/delete/correct/port rights, and includes an opt-out right for sales, targeted advertising, and profiling. Connecticut also requires data protection assessments for high-risk processing and has specific provisions for children's data. The Attorney General handles enforcement, with a 60-day cure period that expired on January 1, 2025 — meaning businesses can now face penalties without an opportunity to fix violations first.
Utah — UCPA
Effective: December 31, 2023
Utah's Consumer Privacy Act is widely regarded as the weakest comprehensive privacy law in the US. It provides basic access, deletion, and portability rights, but the opt-out right only covers data sales and targeted advertising — not profiling. Utah does not require GPC recognition, has high applicability thresholds ($25 million revenue plus data processing of 100,000 consumers), and does not require data protection assessments. The law was drafted with significant industry input and is considered the most business-friendly state privacy law.
Iowa — ICDPA
Effective: January 1, 2025
Iowa's law provides standard consumer rights including access, deletion, portability, and opt-out of sales and targeted advertising. Like Utah, it does not require GPC recognition and provides a generous 90-day cure period for violations. The law applies to businesses processing data of 100,000+ Iowa consumers or 25,000+ consumers with revenue from data sales. Enforcement is through the Attorney General only.
Indiana — INCDPA
Effective: January 1, 2026
Indiana's law, one of the most recent to take effect, follows the Virginia model closely. It provides access, correction, deletion, portability, and opt-out rights for data sales, targeted advertising, and profiling. The law includes a 30-day cure period and does not require GPC recognition. Enforcement is through the Attorney General. The applicability threshold matches Virginia's: 100,000 consumers, or 25,000 consumers with revenue from data sales.
Tennessee — TIPA
Effective: July 1, 2025
Tennessee's Information Protection Act provides standard privacy rights including access, correction, deletion, portability, and opt-out of sales, targeted advertising, and profiling. Notable for including specific protections for biometric data and requiring data protection assessments for targeted advertising. The law includes a 60-day cure period and enforcement is through the AG only.
Montana — MCDPA
Effective: October 1, 2024
Montana's Consumer Data Privacy Act is noteworthy for applying to a much smaller population — Montana has about 1.1 million residents — yet still providing strong protections. The law requires GPC recognition, provides standard access/delete/correct/opt-out rights, and has the lowest applicability threshold based on number of consumers (50,000) of any state with a comprehensive privacy law. Montana also requires data protection assessments and has a 60-day cure period that expires in 2025.
Oregon — OCPA
Effective: July 1, 2024
The Oregon Consumer Privacy Act is considered one of the stronger laws. It includes standard rights plus notable provisions: it applies to nonprofit organizations (most state privacy laws exempt nonprofits), it requires GPC recognition, and it defines "sensitive data" broadly to include a consumer's status as transgender or nonbinary. Oregon also has one of the lower applicability thresholds — businesses processing data of 100,000 consumers or 25,000 consumers with revenue from data sales. The cure period expired on January 1, 2026.
Texas — TDPSA
Effective: July 1, 2024
The Texas Data Privacy and Security Act is significant simply because of Texas's population — over 30 million residents. The law requires GPC recognition, provides standard access/correct/delete/port/opt-out rights, and applies to businesses operating in Texas that process personal data. Notably, the TDPSA has no revenue threshold and no minimum number of consumers — any business in Texas that processes personal data and isn't a small business under SBA definitions must comply. Texas also requires a data broker registration that is separate from the privacy law.
Delaware — DPDPA
Effective: January 1, 2025
Delaware's Personal Data Privacy Act provides standard consumer rights and requires GPC recognition. Notable for a lower applicability threshold than many states — 35,000 consumers (excluding payment transactions) or 10,000 consumers with more than 20% of revenue from data sales. Delaware also includes specific provisions for children's data and targeted advertising directed at minors. The 60-day cure period expires on December 31, 2025.
New Jersey — NJDPA
Effective: January 15, 2025
New Jersey's law is considered consumer-friendly, with standard rights plus GPC recognition. It applies to businesses processing data of 100,000 consumers or 25,000 consumers with revenue from data sales. New Jersey defines "sensitive data" to include financial information, which not all states do. The law does not include a cure period — violations can be enforced immediately by the AG.
New Hampshire — NHDPA
Effective: January 1, 2025
New Hampshire's law follows the Connecticut model and is relatively consumer-friendly. It requires GPC recognition, provides standard rights, and applies to businesses processing data of 35,000 consumers or 10,000 consumers with more than 25% revenue from data sales. No cure period — the AG can pursue violations immediately.
Kentucky — KCDPA
Effective: January 1, 2026
Kentucky's Consumer Data Protection Act follows the Virginia model closely. Standard access, correction, deletion, portability, and opt-out rights. Does not require GPC recognition. Includes a 30-day cure period. Enforcement through the AG only. Applicability threshold: 100,000 consumers or 25,000 consumers with more than 50% revenue from data sales.
Nebraska — NDPA
Effective: January 1, 2025
Nebraska's Data Privacy Act is notable for having no applicability threshold based on number of consumers — it applies to all businesses conducting business in Nebraska that process personal data and are not small businesses. This is the broadest applicability of any state privacy law. Nebraska requires GPC recognition and provides standard consumer rights. No cure period.
Rhode Island — RIDPA
Effective: January 1, 2026
Rhode Island's law provides standard consumer rights including access, deletion, correction, portability, and opt-out of sales and targeted advertising. Enforcement is through the AG. The law includes a 30-day cure period but does not require GPC recognition. Rhode Island's applicability thresholds follow the Virginia model.
Maryland — MODPA
Effective: October 1, 2025
Maryland's Online Data Privacy Act is one of the most aggressive state privacy laws. It goes beyond other states by limiting data collection to what is "reasonably necessary" for the service being provided — a data minimization standard that mirrors GDPR more than any other US state law. Maryland bans the sale of sensitive data entirely (not just requiring opt-out). The law requires GPC recognition and provides a full suite of consumer rights. This is widely considered the second-strongest state privacy law after California.
Minnesota — MCDPA
Effective: July 31, 2025
Minnesota's Consumer Data Privacy Act provides standard consumer rights with several strong provisions. It requires GPC recognition, includes protections for biometric and health data, and mandates data protection impact assessments. The law applies to businesses processing data of 100,000 consumers or 25,000 consumers with revenue from data sales. Enforcement is through the AG.
Pennsylvania — PDPA
Effective: July 1, 2026
Pennsylvania's law is the newest on this list, taking effect mid-2026. It provides standard rights including access, correction, deletion, portability, and opt-out of sales, targeted advertising, and profiling. Pennsylvania requires GPC recognition and mandates data protection assessments. The law includes no cure period and applies to businesses processing data of 100,000 consumers or 25,000 consumers with revenue from data sales.
What If Your State Isn't on This List?
Thirty states still have no comprehensive consumer privacy law. If you live in one of them, you have fewer statutory rights — but you're not without options.
Privacy Rights for Every American
- CCPA applies to most brokers regardless of your state. Most major data brokers are either based in California or do business there, which means they must comply with CCPA. In practice, most brokers honor CCPA-style deletion requests from all US residents rather than verifying state residency on a per-request basis.
- You can submit opt-out requests directly. Data broker opt-out pages don't typically verify your state. You can submit removal requests to Spokeo, BeenVerified, WhitePages, and hundreds of other brokers regardless of where you live.
- Federal laws provide category-specific protection. FCRA protects your credit data. HIPAA protects health data held by covered entities. FERPA protects education records. COPPA protects children's data. These apply nationwide.
- GPC works everywhere. Even if your state doesn't require GPC compliance, many businesses honor GPC signals voluntarily because it's easier to implement one standard than to check every user's state. Enable GPC in your browser regardless of where you live.
A data removal service like GhostVault submits CCPA-based deletion requests on your behalf regardless of which state you live in. Because most brokers process these requests without verifying residency, you get practical privacy protection even without a state law backing you up. GhostVault covers 500+ brokers at $3.99/month and works in all 50 states.
Key Trends to Watch
The state privacy landscape is moving fast. Here are the trends that matter most:
- GPC is becoming standard. A majority of new state privacy laws now require businesses to honor Global Privacy Control signals. This is effectively creating a national standard through state-level adoption. If you're not using GPC yet, enable it in Firefox, Brave, or DuckDuckGo browser.
- Cure periods are disappearing. Early state laws gave businesses 30–60 days to "cure" violations before facing penalties. Newer laws — New Jersey, Nebraska, New Hampshire, Pennsylvania — have no cure period. This increases enforcement pressure and incentivizes proactive compliance.
- Maryland's data minimization model may spread. Maryland's approach — limiting collection to what's "reasonably necessary" — addresses the root cause of privacy violations rather than just giving consumers opt-out tools. If this model proves enforceable, other states may follow.
- Broker registration is expanding. California, Texas, Oregon, and Vermont all require data broker registration. As more states add registration requirements, it becomes harder for brokers to operate without accountability.
- Federal law remains unlikely before 2028. The APRA failed in Congress in 2024. Industry groups oppose federal preemption of stronger state laws, while business groups oppose keeping state laws intact. This stalemate means states will continue to be the primary source of privacy rights for the foreseeable future.
How to Exercise Your Rights
Regardless of which state you live in, here's a practical guide to exercising your privacy rights:
- Enable Global Privacy Control. In Firefox, go to Settings > Privacy > and check "Tell websites not to sell or share my data." In Brave, GPC is enabled by default. In DuckDuckGo browser, GPC is also on by default. This sends an automatic opt-out signal to every website you visit.
- Submit deletion requests to major brokers. Start with the biggest people-search sites: Spokeo, BeenVerified, WhitePages, TruePeopleSearch, and Radaris. Each has an opt-out page. This is time-consuming — expect to spend 30–60 minutes per broker — which is why services like GhostVault exist to automate the process.
- Request your consumer reports. You're entitled to free copies of your LexisNexis consumer report, your ChexSystems report, and your Verisk CLUE report once per year under FCRA. Review these for inaccuracies and dispute anything incorrect.
- Check for California DROP eligibility. If you live in California, submit a DROP request through the CPPA's portal. It's free and sends deletion requests to all 530+ registered brokers at once.
- Use your state AG's complaint process. If you submit a deletion request and a business doesn't respond within the timeframe required by your state's law (usually 45 days), file a complaint with your state Attorney General. State AGs have enforcement authority under all 20 privacy laws.
The Bottom Line
Your privacy rights in 2026 depend on your zip code. California and Maryland residents have the strongest protections. Residents of states without privacy laws rely on CCPA's practical reach and direct opt-out requests. But regardless of where you live, you can take action today — enable GPC, submit opt-out requests to the brokers holding your data, and consider a service that automates the ongoing removal process. The law may eventually catch up. Your data doesn't wait.
Frequently Asked Questions
How many states have privacy laws in 2026?
Twenty states have enacted comprehensive consumer privacy laws as of May 2026. California led in 2020, followed by Virginia, Colorado, Connecticut, and Utah in 2023. The years 2024–2026 saw rapid expansion, with Iowa, Indiana, Tennessee, Montana, Oregon, Texas, Delaware, New Jersey, New Hampshire, Kentucky, Nebraska, Rhode Island, Maryland, Minnesota, and Pennsylvania all enacting laws. Several additional states have legislation pending, and the number is expected to continue growing.
Do I have privacy rights if my state doesn't have a privacy law?
Yes, in practice. Most major data brokers must comply with California's CCPA because they do business in California. Rather than maintaining separate systems for each state, most brokers honor CCPA-style deletion requests from all US residents. You can also submit direct opt-out requests to data brokers — their opt-out pages typically don't verify your state of residence. Additionally, federal laws like FCRA (credit), HIPAA (health), and COPPA (children) provide nationwide protections for specific data categories.
Which state has the strongest privacy law?
California has the most comprehensive privacy law, with the broadest rights, a dedicated enforcement agency (CPPA), the DROP deletion portal, and a limited private right of action for data breaches. Maryland's law, effective October 2025, is the second strongest — it uniquely limits data collection to what is "reasonably necessary" and bans the sale of sensitive data entirely, rather than just providing opt-out rights. Together, California and Maryland represent the leading edge of US consumer privacy protection.
What is the Global Privacy Control (GPC) and which states require it?
GPC is a browser-level setting that sends an automatic opt-out signal to every website you visit, telling them not to sell or share your personal data. Unlike the old Do Not Track signal, GPC has legal backing in multiple states. As of 2026, California, Colorado, Connecticut, Montana, Texas, Delaware, Oregon, New Jersey, New Hampshire, Nebraska, Minnesota, Maryland, and Pennsylvania all require businesses to honor GPC signals. You can enable GPC in Firefox, Brave, and DuckDuckGo browsers, or through browser extensions like Privacy Badger.
Will there be a federal privacy law?
Not soon. The American Privacy Rights Act (APRA), introduced in April 2024 with bipartisan support, failed to advance through Congress. The core disagreement is over federal preemption — whether a federal law should override stronger state laws like California's. Industry groups want preemption to create a single national standard. Consumer advocacy groups and state AGs oppose it, arguing it would weaken protections in states like California and Maryland. Most privacy law experts do not expect a federal comprehensive privacy law before 2028 at the earliest. Until then, state laws remain your primary source of data privacy rights.
This is just one of 500+ brokers selling your data.
GhostVault removes you from all of them automatically — and keeps you removed.