The federal privacy landscape
The United States does not have a comprehensive federal consumer privacy law as of 2026. Federal privacy protection is sectoral — different laws cover different categories of data:
- FTC Act §5 prohibits unfair and deceptive trade practices — the FTC has used this to enforce against data brokers, including the 2023 settlement with TruthFinder and Instant Checkmate.
- FCRA (Fair Credit Reporting Act) regulates consumer reporting agencies and gives consumers the right to dispute inaccurate information.
- HIPAA protects health information held by covered entities (hospitals, insurers, providers).
- GLBA (Gramm-Leach-Bliley) covers financial institutions and the personal financial information they collect.
- COPPA protects children under 13 from online data collection without parental consent.
- EO 14117 / PADFAA (2024) prohibits data brokers from making sensitive personal data of US persons available to foreign adversary countries. Penalties range from $53K (FTC) to $368K (DOJ) per violation.
Comprehensive consumer privacy — the right to know, access, delete, correct, and opt out — is handled at the state level. Twenty-one states have enacted such laws as of 2026, beginning with California's CCPA in 2018.
All 21 US state privacy laws (2026)
Comprehensive consumer privacy laws in effect as of 2026, sorted alphabetically. States with data broker registries are marked.
| State | Law | Citation | Response | Max penalty | Broker registry |
|---|---|---|---|---|---|
| California | CCPA/CPRA California Consumer Privacy Act / California Privacy Rights Act | Cal. Civ. Code § 1798.100 et seq. | 45 days | $7,500 per intentional violation | Yes |
| Colorado | CPA Colorado Privacy Act | C.R.S. § 6-1-1301 et seq. | 45 days | $20,000 per violation | No |
| Connecticut | CTDPA Connecticut Data Privacy Act | Conn. Gen. Stat. § 42-515 et seq. | 45 days | $5,000 per willful violation | No |
| Delaware | DPDPA Delaware Personal Data Privacy Act | Del. Code tit. 6, Ch. 12D | 45 days | $10,000 per violation | No |
| Iowa | ICDPA Iowa Consumer Data Protection Act | Iowa Code Ch. 715D | 90 days | $7,500 per violation | No |
| Indiana | INCDPA Indiana Consumer Data Protection Act | Ind. Code § 24-15 | 45 days | $7,500 per violation | No |
| Kentucky | KCDPA Kentucky Consumer Data Protection Act | Ky. Rev. Stat. Ch. 367 | 45 days | $7,500 per violation | No |
| Maryland | MODPA Maryland Online Data Privacy Act | Md. Code, Com. Law § 14-4601 et seq. | 45 days | $10,000 first violation; $25,000 each subsequent | No |
| Minnesota | MNCDPA Minnesota Consumer Data Privacy Act | Minn. Stat. Ch. 325O | 45 days | $7,500 per violation | No |
| Montana | MCDPA Montana Consumer Data Privacy Act | Mont. Code Ann. § 30-14-2801 et seq. | 45 days | $7,500 per violation | No |
| Nebraska | NDPA Nebraska Data Privacy Act | Neb. Rev. Stat. § 87-1101 et seq. | 45 days | $7,500 per violation | No |
| New Hampshire | NHPA New Hampshire Privacy Act | N.H. RSA Ch. 507-H | 45 days | $100,000 for intentional noncompliance | No |
| New Jersey | NJDPA New Jersey Data Privacy Act | N.J.S.A. § 56:8-166 et seq. | 45 days | $10,000 first violation; $20,000 each subsequent | No |
| Oregon | OCPA Oregon Consumer Privacy Act | ORS § 646A.570 et seq. | 45 days | $7,500 per violation | Yes |
| Rhode Island | RIDTPPA Rhode Island Data Transparency and Privacy Protection Act | R.I. Gen. Laws § 6-48.1 | 45 days | $100 to $500 per intentional violation | No |
| Tennessee | TIPA Tennessee Information Protection Act | Tenn. Code § 47-18-3201 et seq. | 45 days | $7,500 per violation (treble damages for willful violations) | No |
| Texas | TDPSA Texas Data Privacy and Security Act | Tex. Bus. & Com. Code Ch. 541 | 45 days | $7,500 per violation | Yes |
| Utah | UCPA Utah Consumer Privacy Act | Utah Code § 13-61 | 45 days | $7,500 per violation | No |
| Virginia | VCDPA Virginia Consumer Data Protection Act | Va. Code § 59.1-575 et seq. | 45 days | $7,500 per violation | No |
| Vermont | VDPA Vermont Data Privacy Act | 9 V.S.A. § 2430 et seq. | 45 days | Per Vermont Consumer Protection Act | Yes |
Florida's Digital Bill of Rights (FDBR) is included in the count above as a comprehensive state privacy law applicable to large digital businesses.
Your core rights under US state privacy laws
Across the 21 state laws, consumer rights are largely consistent. Most laws grant five core rights:
Right to know
Find out what personal data a business has collected about you, the sources, the purposes for collection, and which third parties have received it.
Right to access
Receive a copy of your personal data in a portable, machine-readable format.
Right to delete
Require businesses to delete personal data they have collected from you, with limited exceptions for legal compliance and security.
Right to correct
Have inaccurate personal data corrected. Available in most states except Utah, Iowa, and Tennessee.
Right to opt out
Stop the sale of personal data, targeted advertising, and profiling that produces legal or similarly significant effects.
Right to non-discrimination
Businesses may not penalize you for exercising your privacy rights — no service denial, no different prices, no degraded quality.
The authorized agent provision
CCPA §1798.135(c) and equivalent provisions in 18 other US state privacy laws explicitly permit consumers to designate an authorized agent to submit privacy requests on their behalf. This is the legal mechanism that makes automated data deletion services possible.
GhostMyData operates as an authorized agent for every user. When you click “Remove” in your dashboard, we generate a CCPA-compliant deletion request signed under your authorization, citing the strongest applicable state law for your jurisdiction. Data brokers are required to process the request within 45 days (90 days in Iowa) and respond regardless of whether you are a resident of California, Virginia, or any other state.
For users in states without comprehensive privacy laws, we cite a multi-law framework including the CCPA's extraterritorial provisions (which apply to any business with $25M+ revenue or 100K+ California consumer records), the FCRA right to dispute (per FTC v. TruthFinder, 2023), state Right of Publicity statutes, and FTC Act §5 unfair-practice provisions.
Data broker registries
Four states require data brokers to register with the state government. These registries provide the most direct mechanism for enforcing privacy rights against the broker industry:
California — SB 362, the Delete Act
Signed October 2023, implementation through 2026. Creates the Data Broker Deletion Mechanism (DROP) operated by the California Privacy Protection Agency, allowing consumers to delete their data from every registered California data broker through a single request. Penalties up to $200/day.
Texas — TDPSA broker registration
Data brokers must register with the Texas Secretary of State. Unregistered brokers face $100/day, up to $10,000 per year.
Oregon — OCPA broker registration
Data brokers must register with the state. Unregistered brokers face $500/day, up to $10,000 per year.
Vermont — first state to mandate registration (2018)
Vermont was the first US state to require data broker registration. Unregistered brokers face $50/day, up to $10,000 per year. Annual registration fee: $100.
Right of Publicity statutes
Even in states without comprehensive privacy laws, individuals often have a Right of Publicity — a private right of action against commercial use of their name, likeness, or identity without consent. This applies to ad-supported people-search sites that monetize your profile.
States with Right of Publicity statutes or strong common law include: California, Florida, Georgia, Illinois, Indiana, Nevada, New York, Ohio, Pennsylvania, Tennessee, Texas, and Washington.
Recent Right of Publicity settlements against data brokers: ZoomInfo $29.55M (2024), Thomson Reuters $27.5M (2025), PeopleFinders $4.89M (2024), Whitepages $4M.
State-specific guides
Detailed guides to data removal under each state's privacy law, including state-specific rights, opt-out forms, and response timelines:
Frequently asked questions
Is there a federal privacy law in the United States in 2026?
No. The United States does not have a comprehensive federal privacy law as of 2026. Federal protection is sectoral: HIPAA covers health data, GLBA covers financial data, FCRA covers credit reports, COPPA covers children under 13, and the FTC Act prohibits unfair or deceptive practices. Comprehensive consumer privacy is handled at the state level — 21 states have enacted comprehensive consumer privacy laws as of 2026.
Which US states have privacy laws in 2026?
Twenty-one states have enacted comprehensive consumer privacy laws as of 2026: California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Iowa (ICDPA), Indiana (INCDPA), Tennessee (TIPA), Montana (MCDPA), Oregon (OCPA), Texas (TDPSA), Delaware (DPDPA), New Hampshire (NHPA), New Jersey (NJDPA), Kentucky (KCDPA), Nebraska (NDPA), Maryland (MODPA), Minnesota (MNCDPA), Rhode Island (RIDTPPA), Vermont (VDPA), and Florida (FDBR for digital businesses).
Which states have a data broker registry?
Four US states require data brokers to register with the state: California (under SB 362, the Delete Act), Texas (under TDPSA), Oregon (under OCPA), and Vermont (the first state to mandate registration in 2018). Unregistered data brokers in these states face daily penalties ranging from $50 to $500 per day.
What are the typical rights under US state privacy laws?
Most US state privacy laws grant consumers five core rights: (1) the right to know what personal data is collected; (2) the right to access a copy of that data; (3) the right to delete personal data; (4) the right to correct inaccurate data; and (5) the right to opt out of data sales, targeted advertising, and profiling. California's CCPA/CPRA additionally grants a private right of action for data breaches and requires global opt-out signal recognition.
How long do businesses have to respond to a privacy request?
Most US state privacy laws require businesses to respond to consumer privacy requests within 45 days, with one 45-day extension available for complex requests (90 days total maximum). Iowa is the exception with a 90-day initial response window. California's CCPA/CPRA requires a confirmation of receipt within 10 business days.
Can I exercise my privacy rights through an authorized agent?
Yes. CCPA §1798.135(c) and equivalent provisions in 18 other state privacy laws explicitly permit consumers to designate an authorized agent to submit deletion, access, and opt-out requests on their behalf. GhostMyData operates as an authorized agent under these provisions, which means data brokers must accept and process our requests for any consumer in these states.
What is the California Delete Act (SB 362)?
California Senate Bill 362, known as the Delete Act, was signed into law in October 2023 and is being implemented through 2026. It requires registered data brokers in California to honor a single deletion request submitted through the Data Broker Deletion Mechanism (DROP), to be operated by the California Privacy Protection Agency. Consumers will be able to delete their data from every registered California data broker through one request.
What penalties do data brokers face for violations?
Penalties vary by state. California imposes up to $7,500 per intentional violation. Colorado allows penalties up to $20,000 per violation. New Hampshire allows up to $100,000 for intentional noncompliance. Maryland and New Jersey impose escalating penalties — $10,000 first violation, $20,000–$25,000 each subsequent. Most states are enforced by the state Attorney General; California is also enforced by the California Privacy Protection Agency.
Do I need to live in a privacy-law state for protection?
California, Texas, Oregon, and Vermont protections under their data broker registry laws apply to residents of those states. However, GhostMyData submits requests under CCPA's authorized agent provisions and a multi-law framework — most large data brokers have nationwide policies that respect privacy requests regardless of consumer residency, in part because they cannot reliably segment their database by state and most operate businesses subject to California jurisdiction.
How does GhostMyData handle the patchwork of state laws?
GhostMyData automatically selects the strongest applicable privacy law for each user based on residency, citing it directly in deletion requests sent to data brokers. For users in non-comprehensive-privacy-law states, we cite a multi-law framework including the CCPA extraterritorial provisions, FCRA right to dispute (per FTC v. TruthFinder), state Right of Publicity statutes, and FTC Act §5 unfair-practice provisions.