New State Privacy Laws in 2026: What You Need to Know

The privacy landscape is shifting dramatically as we move into 2026, with a wave of new state-level legislation fundamentally changing how companies must handle your personal information. If you've been following privacy news, you know that the patchwork of state laws has been expanding rapidly—but this year brings particularly significant changes that affect both consumers and businesses across the United States.

Understanding these new privacy laws isn't just about compliance for companies; it's about knowing your rights as a consumer. With data brokers holding profiles on virtually every American adult—often containing hundreds of data points ranging from your home address to your shopping habits—these legal protections matter more than ever.

Overview of the Legal Framework

The United States continues to lack a comprehensive federal privacy law, which means state legislatures have taken the lead. As of 2026, fourteen states have enacted comprehensive consumer privacy laws, with several more in various stages of implementation. This represents a dramatic expansion from just California and Virginia having active laws in 2020.

The Current State-by-State Landscape

The states with active comprehensive privacy laws in 2026 include California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Iowa, Indiana, Tennessee, Montana, Oregon, Texas, Delaware, New Jersey, and Kentucky. Each law has its own effective date, with several 2026 implementations creating new compliance obligations.

California remains the gold standard with the California Privacy Rights Act (CPRA), which amended the original CCPA. The CPRA established the California Privacy Protection Agency (CPPA), the first dedicated state privacy regulator in the US, and introduced stricter requirements around sensitive personal information and automated decision-making.

Texas brought significant changes with the Texas Data Privacy and Security Act (TDPSA), which took effect in 2024 but continues evolving through regulatory guidance in 2026. Texas notably includes a private right of action for certain biometric data violations—a provision that gives consumers more enforcement power than many other state laws.

Oregon's Consumer Privacy Act, which became enforceable in mid-2024, includes unique provisions around health data and geolocation information that have influenced other states' approaches.

Key Legal Concepts Across State Laws

Despite variations, most state privacy laws share common foundational principles derived from the Fair Information Practice Principles (FIPPs) that have guided privacy regulation since the 1970s:

Transparency: Companies must clearly disclose what personal data they collect, why they collect it, and with whom they share it. This typically manifests as privacy policy requirements with specific mandatory disclosures.

Consumer Rights: Most laws grant consumers a bundle of rights including access (the right to know what data a company holds), deletion, correction, and portability. Some states also include the right to opt out of targeted advertising and sales of personal information.

Data Minimization: Several newer laws explicitly require businesses to limit collection to what's "reasonably necessary" for disclosed purposes—a significant departure from the traditional "notice and consent" model.

Purpose Limitation: Companies generally cannot use personal data for purposes beyond what was disclosed at collection without obtaining new consent.

The legal framework also distinguishes between different types of data. Sensitive personal information—including precise geolocation, health data, financial information, biometric data, and data about minors—typically receives enhanced protection requiring opt-in consent rather than just opt-out rights.

Enforcement Mechanisms

Understanding enforcement is crucial because it determines how effectively these laws protect you. Most state privacy laws grant enforcement authority exclusively to the state attorney general, though some include private rights of action for specific violations.

California's CPPA can impose administrative fines up to $2,500 per violation or $7,500 per intentional violation. For a data broker with millions of records, potential penalties can quickly reach hundreds of millions of dollars—creating real incentive for compliance.

Texas allows individuals to sue directly for biometric data violations, with statutory damages of $25,000 per violation. This private right of action has already spawned significant litigation against companies using facial recognition or fingerprint scanning without proper consent.

Most laws include a cure period (typically 30 days) where companies can fix violations before penalties apply, though this grace period is being phased out in several states as laws mature.

Who Is Covered and What's Protected

Not every business must comply with every state privacy law, and not all data receives the same level of protection. Understanding these distinctions helps you know when you can exercise your rights.

Business Thresholds

State privacy laws typically apply only to businesses meeting certain thresholds. These vary significantly:

California (CPRA) covers businesses that:

• Have gross annual revenues exceeding $25 million, OR
• Process personal information of 100,000+ California consumers or households annually, OR
• Derive 50% or more of annual revenue from selling or sharing personal information

Virginia, Colorado, and Connecticut use similar frameworks requiring businesses to:

• Conduct business in the state or target products/services to state residents, AND
• Control or process data of at least 100,000 consumers (Virginia) or 100,000+ consumers (Colorado, Connecticut) annually, OR
• Control or process data of 25,000+ consumers and derive over 25% of gross revenue from selling personal data

Texas has notably lower thresholds, covering businesses that:

• Conduct business in Texas or produce products/services targeted to Texas residents, AND
• Process personal data of 100,000+ consumers (excluding data processed solely for completing transactions), OR
• Process data of 25,000+ consumers and derive more than 50% of gross revenue from selling personal data

These thresholds mean data brokers almost universally fall under these laws' jurisdiction. Companies like Acxiom, Experian, LexisNexis, and the 2,100+ data brokers that aggregate and sell consumer information clearly exceed these thresholds and must comply.

What Qualifies as Personal Information

State laws define "personal information" or "personal data" broadly as information that identifies, relates to, or could reasonably be linked to a particular consumer or household. This includes:

• Identifiers: Name, address, email, phone number, Social Security number, driver's license, IP address, device IDs, cookies
• Commercial information: Purchase history, browsing history, consumer preferences
• Biometric data: Fingerprints, facial recognition data, voiceprints, retina scans
• Geolocation data: Precise location tracking (typically within 1,750 feet)
• Internet activity: Browsing history, search history, interaction with websites or apps
• Professional information: Employment history, education records
• Inferences: Profiles created about preferences, characteristics, behavior, or aptitudes

Sensitive Personal Information Categories

The new privacy laws in 2026 place special emphasis on sensitive personal information, which receives heightened protection:

• Precise geolocation data (your exact location tracked by apps or devices)
• Racial or ethnic origin
• Religious or philosophical beliefs
• Union membership
• Genetic data
• Biometric data processed for identification
• Health information
• Sex life or sexual orientation
• Citizenship or immigration status
• Personal information of known children (under 13 or 16, depending on the state)

For sensitive data, many laws require opt-in consent rather than allowing companies to process it unless you opt out. This is a meaningful distinction—it shifts the default from "we can use this unless you object" to "we cannot use this unless you explicitly agree."

Exemptions and Carve-Outs

Not all information is covered. Common exemptions include:

• Information covered by sector-specific federal laws (HIPAA for health data, GLBA for financial data, FERPA for education records)
• Employee data (in some states)
• Business-to-business contact information
• Publicly available information (though definitions vary)
• Deidentified or aggregated data that cannot reasonably be linked back to individuals

These exemptions create gaps in protection. For example, your health data held by your doctor is protected by HIPAA, but health-related inferences a data broker makes based on your pharmacy purchases might fall under state privacy laws—or might be considered "publicly available" if derived from observable behavior.

Step-by-Step Process: Exercising Your Privacy Rights

Understanding your rights means little without knowing how to exercise them. Here's the practical process for taking control of your data under the new state privacy laws.

Step 1: Determine Your Eligibility

First, confirm that you're a resident of a state with an active privacy law. Most laws define "resident" using the state's tax residency standards—generally, if you live in the state with intent to remain indefinitely, you qualify.

You don't need to prove you're affected by a specific company's practices. If you're a resident and the company does business in your state, you have rights.

Step 2: Identify Which Companies Have Your Data

This is often the hardest step because data collection happens invisibly. Start with:

Direct relationships: Companies where you've created accounts, made purchases, or provided information directly (retailers, social media, streaming services, apps).

Data brokers: Companies that collect and sell consumer data without direct relationships. This includes people-search sites (Spokeo, BeenVerified, Whitepages), marketing data aggregators (Acxiom, Epsilon, Oracle), and risk assessment firms (LexisNexis, CoreLogic).

Third-party trackers: Advertising networks and analytics companies that track you across websites (Google, Facebook, Adobe).

The challenge is that there are 2,100+ known data brokers operating in the United States, and most consumers have never heard of the majority. A free scan can identify which brokers have your information—a crucial first step since you can't exercise rights with companies you don't know exist.

Step 3: Submit a Verifiable Consumer Request

State laws require companies to provide mechanisms for submitting privacy requests. Look for:

• A "Do Not Sell My Personal Information" link (required in California and several other states)
• A "Your Privacy Choices" or "Privacy Rights" link in the website footer
• Contact information in the privacy policy for submitting requests
• Toll-free phone numbers (required in some states)

When submitting your request, you'll typically need to provide:

• Your full name
• Email address or phone number
• State of residence
• Specific rights you're exercising (access, deletion, opt-out, etc.)

Important: Companies can request additional information to verify your identity, but they cannot require you to create an account or provide excessive information. Verification should be proportional to the sensitivity of data and risk of fraud.

Step 4: Understand Response Timeframes

Companies must respond within specific timeframes:

• California: 45 days, with one 45-day extension if reasonably necessary (must notify you of the extension within the first 45 days)
• Virginia, Colorado, Connecticut: 45 days, with one additional 45-day extension when reasonably necessary
• Texas: 45 days, with one 15-day extension

If a company denies your request, they must explain why and inform you of your right to appeal (in states that provide appeal rights).

Step 5: Use the Appeal Process

Virginia, Colorado, Connecticut, and several other states grant you the right to appeal a denial. The company must:

• Respond to your appeal within 60 days (typically)
• Provide a clear explanation if they uphold the denial
• Inform you of how to contact the state attorney general if you remain unsatisfied

Document everything. Save confirmation emails, take screenshots of submission forms, and note dates. This documentation is crucial if you need to escalate to regulators.

Step 6: Leverage Opt-Out Preference Signals

One of the most significant developments in 2026 is the growing adoption of Global Privacy Control (GPC)—a browser setting that automatically signals your opt-out preferences to websites.

California regulations (effective since 2023) require businesses to honor GPC signals as valid opt-out requests for selling/sharing personal information. Colorado, Connecticut, and several other states have adopted similar requirements.

To enable GPC:

• Use a browser that supports it (Brave, Firefox, DuckDuckGo, or install the GPC browser extension for Chrome/Edge)
• Enable the privacy control in settings
• The browser automatically sends an opt-out signal to compliant websites

This is powerful because it automates opt-outs across thousands of websites without individual requests. However, it doesn't work for data brokers that don't have direct website interactions with you—you still need to submit individual requests to those companies.

Step 7: Monitor and Maintain Your Privacy

Privacy isn't a one-time action. Data brokers continuously acquire new information from public records, commercial sources, and other brokers. A deletion request today doesn't prevent the same broker from re-acquiring your information next month from a different source.

Effective privacy management requires:

• Regular monitoring of which brokers have your information
• Repeated opt-out requests (quarterly or semi-annually)
• Reviewing privacy settings on apps and services you use
• Being selective about what information you share online

This is where the practical challenge becomes clear: manually managing privacy across 2,100+ data brokers is essentially impossible for an individual. Each broker has different submission processes, verification requirements, and response times.

Common Pitfalls and How to Avoid Them

Even with strong legal rights, consumers frequently encounter obstacles when trying to exercise them. Here's what to watch for and how to navigate these challenges.

Pitfall 1: Identity Verification Friction

The problem: Companies often make verification unnecessarily burdensome, requesting government IDs, notarized documents, or detailed personal information that you're uncomfortable providing.

How to avoid it: State laws require verification to be "reasonably necessary" and proportional to the risk. For a simple opt-out request, providing your name and email should suffice. For access requests involving sensitive data, more verification is reasonable.

If a company requests excessive verification:

• Ask specifically why each piece of information is necessary
• Reference your state's privacy law and note that verification must be proportional
• Offer alternative verification methods
• Document the exchange in case you need to file a complaint

Pitfall 2: Requests Being Ignored or Denied Without Explanation

The problem: Some companies simply don't respond to privacy requests, or they send generic denials without explaining the legal basis.

How to avoid it:

• Always submit requests through official channels (privacy web forms, designated email addresses)
• Save confirmation numbers or emails
• Set calendar reminders for the response deadline (45 days for most states)
• If you receive no response by the deadline, send a follow-up referencing the original request and noting the legal requirement to respond
• If still no response, file a complaint with your state attorney general

For denials, the company must explain why. Common legitimate reasons include:

• The request is "manifestly unfounded or excessive" (you've submitted numerous identical requests)
• They cannot verify your identity
• An exemption applies (the data is covered by HIPAA, for example)
• They don't actually have your information

Vague denials like "we cannot fulfill your request" without explanation are insufficient under most state laws.

Pitfall 3: Incomplete Responses

The problem: A company provides some information but clearly hasn't disclosed everything, or they delete data from one system but not others.

How to avoid it: State laws require companies to provide information about all personal data they maintain, not just data in certain databases. If a response seems incomplete:

• Ask specifically about data categories you know they likely have (purchase history, browsing data, inferences, data obtained from third parties)
• Request information about which third parties they've shared your data with
• If you have evidence they hold data they didn't disclose, reference it specifically in a follow-up request

For deletion requests, ask for confirmation that data has been deleted from:

• Production databases
• Backup systems (they can maintain backups but must delete when backups are restored)
• Third parties with whom they shared your data
• Affiliated companies

Pitfall 4: Confusing "Opt-Out" with "Deletion"

The problem: Many consumers use these terms interchangeably, but they're legally distinct rights with different outcomes.

How to avoid it: Understand the difference:

• Opt-out of sale/sharing: Stops the company from selling your data or sharing it for cross-context behavioral advertising going forward, but doesn't delete data they already have
• Deletion: Requires the company to delete personal information they currently maintain (with certain exceptions)
• Opt-out of processing for targeted advertising: Stops use of your data for personalized ads but doesn't necessarily stop other processing

For maximum privacy, you typically want both deletion and ongoing opt-outs, since companies can re-acquire your information from other sources.

Pitfall 5: Not Understanding Exemptions

The problem: Consumers request deletion of information that companies are legally required to retain, leading to confusion and frustration.

How to avoid it: Companies can deny deletion requests when they need the information to:

• Complete the transaction for which it was collected
• Comply with legal obligations (tax records, warranty obligations)
• Detect security incidents or protect against fraud
• Exercise free speech rights
• Engage in public or peer-reviewed scientific research
• Enable internal uses reasonably aligned with consumer expectations

These exemptions are legitimate. If a company denies deletion citing one of these reasons, ask for specifics about which exemption applies and how long they'll retain the data.

Pitfall 6: Assuming One Request Covers Everything

The problem: Submitting a request to one company or one data broker and assuming your information is protected everywhere.

How to avoid it: Each company is a separate data controller under privacy laws. A deletion request to Facebook doesn't affect Google, Amazon, or data brokers