The Patchwork Reality of American Privacy Law

The United States has no comprehensive federal privacy law. Instead, consumer data protection is governed by a patchwork of state-level legislation that varies dramatically in scope, strength, and enforcement. Depending on where you live, you may have robust legal rights to control your personal data — or virtually none at all.

As of mid-2026, approximately 20 states have enacted comprehensive consumer privacy laws, with several more taking effect this year. But "comprehensive" is a relative term. Some of these laws give consumers meaningful power to know what data companies collect, demand deletion, and opt out of data sales. Others are watered down by broad exemptions, weak enforcement mechanisms, and industry-friendly definitions that render the protections largely theoretical.

This analysis ranks all 50 states into three tiers based on the actual, practical privacy protections available to residents. We evaluate not just whether a law exists, but how strong its provisions are, whether residents can enforce them, and how the law interacts with the data broker ecosystem specifically.

How We Ranked the States

Our tier system evaluates each state across five dimensions:

Right to know: Can residents request a copy of the personal data a company holds about them?
Right to delete: Can residents demand that a company delete their personal data?
Right to opt out of sale: Can residents stop companies from selling their data to third parties?
Private right of action: Can individual residents sue companies that violate their privacy rights, or is enforcement limited to the state attorney general?
Data broker registration: Does the state require data brokers to register, creating transparency and accountability?

A state earns Tier 1 status by scoring strongly on at least four of these five dimensions. Tier 2 states have meaningful but incomplete protections. Tier 3 states have minimal or no comprehensive consumer privacy protections.

Tier 1: Comprehensive Privacy Protection

These states have enacted strong consumer privacy laws with broad coverage, meaningful rights, and at least some enforcement teeth. If you live in a Tier 1 state, you have legal tools to control your personal data — though enforcement gaps still exist.

California (CCPA/CPRA) — The Gold Standard

California remains the strongest state for consumer privacy. The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides:

Right to know: Comprehensive. Companies must disclose what data they collect, where they got it, and who they share it with.
Right to delete: Broad. Companies must delete personal data upon request, with limited exceptions for legal obligations and fraud prevention.
Right to opt out of sale and sharing: The strongest in the nation. The CPRA expanded this to cover "sharing" for cross-context behavioral advertising, not just "sales."
Private right of action: Limited to data breaches involving specified personal information (SSN, financial accounts, etc.). Not available for general privacy violations.
Data broker registration: Yes. The California Delete Act (SB 362) created a centralized data broker registry and is building the DELETE platform — a one-stop portal for consumers to request deletion from all registered brokers.
Enforcement: Dedicated California Privacy Protection Agency (CPPA) with rulemaking and enforcement authority.

California's practical strength comes not just from the law itself but from the enforcement infrastructure. The CPPA actively investigates and fines companies, and the data broker registry creates accountability that does not exist in most other states.

Colorado (CPA)

Colorado's Privacy Act provides all four core consumer rights (know, delete, opt out, correct) and was one of the first states to require universal opt-out mechanisms. Colorado's law is notable for requiring data protection assessments for high-risk processing activities and giving the Attorney General authority to issue regulations, making the framework adaptable.

Right to delete: Yes, with standard exceptions
Right to opt out: Yes, including targeted advertising and profiling
Private right of action: No. Enforcement is limited to the Attorney General.
Practical note: Colorado's AG has been more active in enforcement than many other states, issuing guidance and pursuing complaints.

Connecticut (CTDPA)

Connecticut's Data Privacy Act is one of the more consumer-friendly laws outside California. It covers all four core rights and has a relatively narrow set of exemptions. Connecticut was also one of the first states to require compliance with universal opt-out signals (like Global Privacy Control).

Right to delete: Yes
Right to opt out: Yes, with universal opt-out signal requirement
Private right of action: No
Practical strength: Medium-high. The law is comprehensive, but enforcement resources are limited.

Virginia (VCDPA)

Virginia was the second state to pass a comprehensive privacy law. The VCDPA provides the core rights but is widely viewed as more business-friendly than California's CCPA.

Right to delete: Yes
Right to opt out of sale: Yes
Private right of action: No
Practical note: Virginia's law has broader exemptions for employee data and B2B data, and the AG's enforcement has been less aggressive than California's.

Oregon (OCPA)

Oregon's Consumer Privacy Act took effect in 2024 and includes some uniquely strong provisions. It is one of the few state laws to cover nonprofit organizations and has a relatively low applicability threshold.

Right to delete: Yes
Right to opt out: Yes, including for profiling in furtherance of automated decisions
Private right of action: No
Practical strength: The nonprofit coverage and lower thresholds make it broader in some respects than Virginia or Colorado.

Texas (TDPSA)

The Texas Data Privacy and Security Act is notable primarily because of Texas's size — it is the second-largest state by population, meaning the law covers roughly 30 million residents. The rights are broadly similar to Virginia's model.

Right to delete: Yes
Right to opt out: Yes
Private right of action: No
Practical note: Texas's AG has historically been aggressive on data privacy enforcement, even before the TDPSA. The combination of a large population and an active AG makes this law more impactful than its text alone would suggest.

Other Tier 1 States

Several additional states have enacted comprehensive privacy laws that qualify for Tier 1 status based on the breadth of their consumer rights provisions: Delaware, New Jersey, New Hampshire, Maryland, Minnesota, and Nebraska all have comprehensive consumer privacy laws that took effect in 2025 or 2026, providing the core rights to know, delete, and opt out. Maryland's law is particularly notable for restricting the collection of sensitive data, not just its use.

Tier 2: Partial Privacy Protection

Tier 2 states have enacted some form of privacy legislation but fall short of comprehensive consumer rights. They may provide specific protections (like data breach notification or biometric data laws) without covering the full spectrum of consumer data rights.

Illinois (BIPA)

Illinois does not have a comprehensive consumer privacy law, but the Biometric Information Privacy Act (BIPA) is arguably the most powerful single privacy statute in the country. BIPA gives individuals a private right of action for unauthorized collection of biometric data (fingerprints, facial scans, iris scans, voiceprints) with statutory damages of $1,000 to $5,000 per violation. BIPA has generated more privacy litigation than any other state law and has forced major technology companies to change their biometric data practices.

However, BIPA covers only biometric data. It does not provide general rights to know, delete, or opt out of data sale.

Montana, Indiana, Iowa, Tennessee

These states passed comprehensive privacy laws modeled loosely on Virginia's VCDPA but with higher applicability thresholds, broader exemptions, or weaker provisions that limit their practical impact. They provide the core rights on paper but with enough caveats that meaningful consumer protection is reduced.

Nevada

Nevada was actually one of the earliest states to pass an opt-out-of-sale law (SB 220, 2019), predating many comprehensive laws. However, it is narrower in scope — covering only the sale of "covered information" collected through a website or online service. It does not provide a right to know or a right to delete.

Washington

Washington passed the My Health My Data Act, which provides strong protections specifically for consumer health data but does not cover the full scope of personal information that comprehensive privacy laws address. Washington's general consumer privacy bill failed multiple times in the legislature.

New York

Somewhat surprisingly, New York does not have a comprehensive consumer privacy law as of mid-2026. The state has strong protections in specific areas — financial data (Department of Financial Services cybersecurity regulations), biometric data (commercial settings), and data breach notification — but no overarching framework like CCPA. Multiple comprehensive privacy bills have been introduced but have not passed.

Tier 3: Minimal or No Privacy Protection

The remaining states lack comprehensive consumer privacy legislation. Residents of these states have few or no legal tools to:

Request a copy of their personal data from data brokers
Demand deletion of their personal information
Opt out of the sale of their data
Take legal action against companies that mishandle their data (beyond existing data breach notification laws)

States in this tier include: Alabama, Alaska, Arizona, Arkansas, Georgia, Hawaii, Idaho, Kansas, Kentucky, Louisiana, Maine, Massachusetts, Michigan, Mississippi, Missouri, New Mexico, North Carolina, North Dakota, Ohio, Oklahoma, Pennsylvania, Rhode Island, South Carolina, South Dakota, Vermont, West Virginia, Wisconsin, and Wyoming.

Some of these states have notable individual provisions:

Vermont requires data brokers to register with the state, even though it does not give consumers a right to delete or opt out. This registration requirement creates transparency but not actionable consumer rights.
Maine passed a narrow ISP privacy law that prevents internet service providers from selling customer data without consent, but this does not extend to data brokers or other companies.
Massachusetts has strong data breach notification and data security regulations but no comprehensive privacy framework.

Many of these states have active legislative efforts, and the list of Tier 3 states shrinks every year. However, as of mid-2026, residents of roughly 25 states have no meaningful right to demand that data brokers delete their personal information.

The Enforcement Problem

Even in Tier 1 states, enforcement is a persistent challenge. The core issue is that most comprehensive privacy laws reserve enforcement authority to the state attorney general, with no private right of action for individual consumers. This means:

Limited resources: Attorney general offices have limited staff and budgets dedicated to privacy enforcement. They cannot investigate every complaint.
Prioritization: AG offices tend to pursue high-profile cases against large companies rather than individual complaints against mid-tier data brokers.
Cure periods: Many state laws include a "cure period" (typically 30 to 60 days) that gives companies a chance to fix violations before any enforcement action. This effectively makes the first violation consequence-free.
Cross-border challenges: Data brokers may be based in one state while serving residents of another, creating jurisdictional complications.

California is the notable exception, with its dedicated Privacy Protection Agency. No other state has created an equivalent enforcement body, and even the CPPA's resources are modest relative to the scale of the data broker industry.

What This Means If You Live in a Tier 3 State

If you live in a state without comprehensive privacy legislation, you are not entirely without options:

California's CCPA has extraterritorial effects. Many large data brokers comply with CCPA's deletion requirements for all users, not just California residents, because building state-specific workflows is more expensive than applying the highest standard universally. When you submit a deletion request, the broker often processes it regardless of your state. They are not legally required to, but many do.

Federal sector-specific laws still apply. The Fair Credit Reporting Act (FCRA) governs credit reporting agencies. HIPAA protects health information. The Gramm-Leach-Bliley Act covers financial institutions. These laws apply nationwide.

You can still submit opt-out requests. Data brokers generally honor opt-out requests from all users, even in states without privacy laws. They are under no legal obligation to do so, but reputational concerns and the administrative cost of differentiating by state mean most brokers process all requests.

Automated tools work regardless of your state. Services like GhostMyData submit removal requests on your behalf using the strongest available legal framework. If you have ever had an address in a state with privacy protections, those laws may apply to data collected during that residency.

The Federal Privacy Law Question

The absence of a federal privacy law is the elephant in the room. The American Data Privacy and Protection Act (ADPPA) advanced further through Congress than any previous federal privacy bill but ultimately stalled. The primary sticking point remains preemption — whether a federal law should override state laws like CCPA. California and consumer advocates argue that federal legislation should set a floor, not a ceiling, while industry groups push for a single uniform standard that would preempt stronger state laws.

Until a federal law passes, the patchwork will continue, and the practical reality is that your privacy rights depend heavily on your zip code.

Automate Your Privacy with GhostMyData

Regardless of which state you live in, your data is exposed on data broker sites across the country. GhostMyData leverages the strongest available privacy laws on your behalf:

Multi-state legal framework: We cite the strongest applicable privacy law for each removal request based on your profile, whether that is CCPA, VCDPA, CPA, or another state statute
1,500+ broker coverage: We cover data brokers in every category — people-search, enterprise, marketing, and more
Automated submissions and follow-up: No need to research individual broker opt-out processes
Continuous monitoring: Recurring scans catch re-listings and new exposures
Works in all 50 states: Even if your state has no privacy law, our removal pipeline still gets results

Start your free scan to see where your data is exposed and take control of your personal information.

Frequently Asked Questions

Which state has the strongest privacy law in 2026?

California remains the strongest state for consumer privacy protection. The CCPA/CPRA provides the broadest rights (know, delete, opt out of sale and sharing, correct, limit use of sensitive data), the most robust enforcement infrastructure (dedicated California Privacy Protection Agency), and the first-of-its-kind data broker registry under the California Delete Act. It is also the only state where consumers have any private right of action for data breaches, albeit limited.

Do I have any privacy rights if my state has no privacy law?

Yes, though they are more limited. Federal laws like the Fair Credit Reporting Act (FCRA) and sector-specific regulations still apply. You can also submit opt-out requests to data brokers, and most will honor them regardless of your state of residence. Many large data brokers apply CCPA-level compliance universally because it is more efficient than building state-specific workflows. Automated removal services can submit requests on your behalf using the strongest available legal framework.

How many states have comprehensive privacy laws in 2026?

Approximately 20 states have enacted comprehensive consumer privacy laws as of mid-2026, with several more laws scheduled to take effect later in the year. However, the strength of these laws varies significantly. Only California has a dedicated enforcement agency and a data broker registry. Most other states limit enforcement to the attorney general and do not provide consumers with a private right of action.

Can a state privacy law protect me from data brokers in other states?

Partially. State privacy laws generally apply based on where the consumer resides, not where the data broker is located. If you are a California resident, a data broker in Florida must comply with the CCPA when handling your data. However, enforcement across state lines can be challenging, and some smaller brokers may ignore requests from out-of-state enforcement agencies. This is one reason automated removal services are effective — they persistently follow up on requests that a state AG might not have resources to pursue.

Why hasn't Congress passed a federal privacy law?

The primary obstacle is the preemption debate. Industry groups want a single federal standard that would override state laws like CCPA, simplifying compliance. Consumer advocates and California legislators argue that a federal law should set a minimum floor while allowing states to enact stronger protections. Neither side has been willing to compromise, and the resulting stalemate has persisted through multiple congressional sessions. Other factors include lobbying by the data broker industry, disagreements over private right of action, and competing legislative priorities.

State Privacy Laws in 2026: Which States Actually Protect You?