Skip to content

Menu

The American Legal Blogger logo
HomeAboutContactSubmit Your BlogChannelsSubscribe
The American Legal Blogger logo
AboutChannelsPublishersSubscribeContact
The American Legal Blogger logo
Submit Your Blog
Search
Close

Start a Blog. Grow Your Practice.

Schedule Demo

U.S. State Privacy Law Landscape Expands to 24 States: What the Latest Legislative Wave Means for Businesses

By Heidi Salow on June 29, 2026
Email this postTweet this postLike this postShare this post on LinkedIn
Lock Illustration

Key point: The U.S. state privacy law landscape has rapidly expanded in 2026, growing from 20 to 24 states—and reinforcing a common framework for compliance.

Introduction

U.S. privacy legislation continues to evolve at a rapid pace. What began as a patchwork of 20 comprehensive state privacy laws at the beginning of 2026 has now expanded to 24 states, following a new wave of legislative activity.

This expansion reflects ongoing momentum at the state level in the absence of a comprehensive U.S. federal privacy statute. While the growing number of laws increases compliance complexity, most states continue to converge around a common regulatory model, offering some predictability for businesses operating across jurisdictions.

2026 Legislative Additons

In 2026, several additional states moved to adopt comprehensive consumer privacy frameworks, bringing the total number of enacted laws to 24. Alabama, Louisiana, Oklahoma, and Vermont have passed laws which build on the existing foundation in the U.S. and signal continued bipartisan support for consumer data protection measures across jurisdictions.

Although not all of these laws are yet effective, their passage reinforces the expectation that the U.S. will continue moving toward broader state-level privacy coverage in the near term.

The Original 20-State Baseline

Prior to these latest developments, the following 20 states had already finalized comprehensive privacy laws:

  • California
  • Virginia
  • Colorado
  • Connecticut
  • Utah
  • Iowa
  • Indiana
  • Tennessee
  • Texas
  • Florida
  • Maryland
  • Minnesota
  • Montana
  • Oregon
  • Delaware
  • New Hampshire
  • New Jersey
  • Kentucky
  • Nebraska
  • Rhode Island

These states form the core framework in the U.S., with most laws either already in force or scheduled to take effect between 2023 and 2026.

Dominant Legal Framework

Despite the growing number of new laws, most state privacy laws follow a highly structured and similar model.

Key characteristics of this framework include:

  • Universal Opt-Out Mechanisms (UOOMs): Many states require businesses to recognize browser-based or device-level signals (e.g., Global Privacy Control) that communicate consumers’ opt-out preferences.
  • Attorney General Enforcement: Enforcement authority is typically vested exclusively in state attorneys general, rather than private litigants.
  • No Private Right of Action: As mentioned above, most state laws do not allow consumers themselves to bring lawsuits for alleged violations (with limited exceptions, such as data breach claims in California).
  • Standardized Consumer Rights: Across jurisdictions, individuals are generally granted rights to:
    • access their personal information
    • delete their personal information
    • correct inaccuracies in their personal information
    • opt-out of certain processing (e.g., targeted advertising, sale of personal information)

This convergence around common legal requirements has created a de facto national standard, even in the absence of federal legislation.

Notable Differences Across the 24-State Landscape

While the overall structure is consistent, here are a few important state-by-state variations:

1. Applicability Thresholds

  • Some state laws apply only to large businesses. For example, the Florida Digital Bill of Rights (FDBR) applies only to entities that meet all of the following criteria:
    • Conduct business in Florida or produce products or services consumed by Florida residents.
    • Collect personal data about consumers (or have someone collect it on their behalf).
    • Earn more than $1 billion in global gross annual revenue.
    • Meet at least one of these three additional conditions:
      • derive 50% or more of global revenue from online advertising sales, including targeted advertising
      • operate a consumer smart speaker with a voice-activated virtual assistant connected to cloud computing
      • operate an app store or digital distribution platform offering at least 250,000 software applications
    • In practical terms, this means the FDBR targets big tech companies.
    • In addition, the Florida Information Protection Act (FIPA)—which focuses on data security and breach notification rather than comprehensive consumer privacy rights—applies to most Florida businesses.
  • Other state laws have lower thresholds, pulling smaller companies into scope.
  • A few states impose no minimum thresholds, expanding applicability significantly.

2. Scope of Sensitive Personal Information (SPI) Restrictions

  • Most states require a business to obtain a consumer’s affirmative permission before collecting or using their SPI.
  • Some states impose stricter limitations or outright prohibitions on specific uses of SPI.

3. Nuances in Enforcement

  • Cure periods vary (typically 30–60 days).
  • Enforcement activity is increasing, with regulators/enforcement agencies becoming more proactive.

4. Technical Compliance Requirements

  • Differences in UOOM recognition requirements.
  • Variation in requirements for data protection assessments and profiling-related disclosures.

5. Business-to-business and Employee Data Exemptions

  • The California Consumer Privacy Act is the only state law with no B2B or employee data exemption.
  • Every other comprehensive state privacy law generally includes exemptions for:
    • individuals acting in a commercial (B2B) context, and
    • individuals acting in an employment/HR context.
    • These laws typically exclude such data from the definition of protected “consumer” data.

Implications for Federal Legislation

The widespread adoption of this largely uniform framework is being closely monitored by national business coalitions and policymakers.

The consistency in state laws might serve as the foundation for future federal privacy legislation, as legislators look to harmonize state requirements while preserving core consumer protections. However, until such legislation is enacted, businesses must continue to navigate the state-by-state patchwork.

What This Means for Businesses

With the expansion to 24 state laws, organizations should:

  • Update their compliance programs to account for the newly enacted laws or adopt a harmonized, nationwide approach aligned with the common principles in these laws.
  • Monitor effective dates of these laws and associated rulemaking proceedings.
  • Implement scalable technical solutions (e.g., UOOM recognition).
  • Review contracts with customers, vendors, and service providers in light of all applicable laws and regulations.

Conclusion

The expansion from 20 to 24 state privacy laws in 2026 underscores the continued importance and greater awareness of individual privacy rights. While this expansion increases complexity, the consistency in these laws offers a clearer path to compliance.

Absent Congressional action, this trend is likely to continue. Proactive and adaptable privacy governance is essential.

Photo of Heidi Salow Heidi Salow

Heidi counsels clients on a wide range of  laws, regulations, and standards, including the California Consumer Privacy Act (CCPA), Family Educational Rights and Privacy Act (FERPA), EU and U.K. General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), Fair Credit…

Heidi counsels clients on a wide range of  laws, regulations, and standards, including the California Consumer Privacy Act (CCPA), Family Educational Rights and Privacy Act (FERPA), EU and U.K. General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), Fair Credit Reporting Act (FCRA), Gramm-Leach-Bliley Act (GLBA), and National Institute of Standards and Technology (NIST) frameworks, as well as various U.S. state laws and regulations touching on healthcare and financial privacy, biometrics, and information security. In a world where data protection touches every organization, her work spans a wide array of industries.

Read more about Heidi Salow
Show more Show less
  • Posted in:
    Privacy & Data Security
  • Blog:
    Byte Back
  • Organization:
    Husch Blackwell LLP
  • Article: View Original Source

Subscribe to The American Legal Blogger

Subscribe Today
The American Legal Blogger logo
RSS Facebook LinkedIn Twitter
  • Home
  • About
  • Subscribe
  • Channels
  • Publishers
  • Contact

Welcome to American Legal Blogger

American Legal Blogger is a collaboration between the ABA Journal and LexBlog that brings together, in one place, the blogs, podcasts, and other insights and guidance generated by blogging lawyers across the US.

Learn more
Copyright © 2026, The American Legal Blogger. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo