Which states have consumer privacy laws?

As of 2026, over 15 states have comprehensive consumer privacy laws, including California (CCPA/CPRA), Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Oregon, Texas, Delaware, New Hampshire, New Jersey, and Maryland.

Do state privacy laws apply to small businesses?

It depends on the state. Most state privacy laws have thresholds based on revenue or the volume of consumer data processed. California's CCPA applies to businesses with over $25 million in revenue or that process data of 100,000+ consumers.

How do state privacy laws affect small businesses?

Affected businesses must provide privacy notices, honor consumer rights requests (access, deletion, opt-out), implement data security measures, and update their privacy policies to reflect state-specific requirements.

New State Privacy Laws Taking Effect in 2026: Is Your Business Ready?

The privacy law landscape is expanding fast

State privacy legislation in the United States has accelerated dramatically. What started with California's CCPA in 2020 has turned into a nationwide wave of comprehensive privacy laws. By the end of 2026, at least 15 states will have active consumer privacy laws — and more are being introduced every legislative session.

For small businesses, this means your privacy obligations are no longer determined solely by where your business is located. If you serve customers in states with privacy laws, those laws may apply to you regardless of where you operate.

States with privacy laws taking effect in 2026

Several new comprehensive state privacy laws are taking effect during 2026:

Iowa (ICDPA)

Iowa's Consumer Data Protection Act applies to businesses that either control or process personal data of 100,000 or more Iowa consumers, or control or process data of 25,000 or more consumers while deriving more than 50% of gross revenue from the sale of personal data.

Key requirements include the right to access, delete, and opt out of the sale of personal data and targeted advertising.

Delaware (DPDPA)

Delaware's Personal Data Privacy Act has relatively broad applicability. It covers businesses that control or process personal data of 35,000 or more Delaware consumers, or 10,000 or more consumers when they derive more than 20% of gross revenue from data sales.

Delaware's law is notable for its lower thresholds, which could capture smaller businesses that operate in the state.

Nebraska (NDPA)

Nebraska's Data Privacy Act applies to persons who conduct business in Nebraska or produce products or services consumed by Nebraska residents, process or engage in the sale of personal data, and are not a small business as defined by the SBA.

The SBA size standard exemption is unusual and provides some relief for genuine small businesses, though the definition varies by industry.

New Hampshire (NHPA)

New Hampshire's privacy act follows the familiar pattern of requiring businesses that process data of 35,000 or more consumers, or 10,000 or more when deriving 25% or more of revenue from data sales, to comply with consumer data rights.

New Jersey (NJDPA)

New Jersey's Data Privacy Act covers controllers that process personal data of 100,000 or more consumers, or 25,000 or more consumers when deriving revenue from selling personal data. It includes robust consumer rights and requires data protection assessments for certain processing activities.

States with laws effective in 2024 now fully enforced

Several states that enacted privacy laws in 2024 are now in full enforcement mode:

Texas (TDPSA): Enforced by the Attorney General with no private right of action. Covers businesses with revenue exceeding $25 million threshold.
Oregon (OCPA): One of the broader state laws, with no revenue threshold — applying to businesses that process data of 100,000 or more consumers, or 25,000 consumers when selling data.
Montana (MCDPA): Covers businesses processing data of 50,000 or more Montana consumers, with the notable absence of a revenue threshold.

What these laws require from your business

While each state law has unique details, they share common requirements that your business likely needs to address:

Privacy policy disclosures

Every state privacy law requires a privacy policy that discloses:

Categories of personal data collected
Purposes for processing personal data
Categories of third parties with whom data is shared
Consumer rights and how to exercise them
Contact information for privacy inquiries

Consumer rights

Most state laws grant consumers some combination of these rights:

Right to access: Consumers can request a copy of their personal data
Right to delete: Consumers can request deletion of their personal data
Right to correct: Consumers can request correction of inaccurate data
Right to opt out: Consumers can opt out of the sale of personal data, targeted advertising, and profiling
Right to portability: Consumers can receive their data in a portable format

Data protection assessments

Several state laws require data protection assessments for processing activities that present a heightened risk of harm to consumers, such as:

Processing data for targeted advertising
Selling personal data
Processing sensitive data
Profiling that presents a risk of unfair treatment or discrimination

Opt-out mechanisms

Businesses must provide clear mechanisms for consumers to opt out of data sales and targeted advertising. Some states require recognition of universal opt-out mechanisms like the Global Privacy Control signal.

How to determine if these laws apply to you

Check your customer geography

If you sell products or services to residents of states with privacy laws, those laws may apply to your business — even if you are located in a different state and have no physical presence there.

Review the thresholds

Each state sets its own thresholds for which businesses must comply. Common threshold criteria include:

Number of consumers whose data you process
Revenue derived from selling personal data
Annual gross revenue
SBA small business status

Inventory your data practices

Before you can determine compliance, you need to understand what personal data you collect, how you use it, and who you share it with. This includes:

Customer contact information
Payment processing data
Website analytics and tracking data
Marketing automation data
Employee and applicant data

Steps to take now

1. Update your privacy policy

Your privacy policy should reflect the requirements of every state law that applies to your business. This means including all required disclosures, consumer rights descriptions, and contact information.

2. Implement consumer rights procedures

You need processes to handle consumer requests to access, delete, correct, or port their personal data within the timeframes required by each applicable law (typically 45 days).

3. Review your vendor agreements

If you share personal data with third parties — payment processors, marketing platforms, analytics tools — your agreements with those vendors should include data processing terms that comply with applicable state laws.

4. Train your team

Anyone who handles customer data or could receive a consumer rights request should understand your privacy obligations and know how to route requests appropriately.

5. Document your compliance efforts

Maintaining records of your compliance activities — privacy policy updates, consumer request logs, data protection assessments — demonstrates good faith effort and can reduce penalties if issues arise.

The trend is clear

Privacy legislation is not slowing down. More states are expected to pass comprehensive privacy laws in 2026 and beyond. Businesses that proactively build privacy compliance into their operations will be better positioned as the regulatory landscape continues to expand.

How ComplyStack keeps you current

Tracking privacy law changes across multiple states is a full-time job. ComplyStack generates privacy policies tailored to your specific business type and the states where you operate — automatically incorporating the latest requirements so you do not have to monitor every legislative session yourself.