Key point: The U.S. state privacy law landscape has rapidly expanded in 2026, growing from 20 to 24 states—and reinforcing a common framework for compliance.
Introduction
U.S. privacy legislation continues to evolve at a rapid pace. What began as a patchwork of 20 comprehensive state privacy laws at the beginning of 2026 has now expanded to 24 states, following a new wave of legislative activity.
This expansion reflects ongoing momentum at the state level in the absence of a comprehensive U.S. federal privacy statute. While the growing number of laws increases compliance complexity, most states continue to converge around a common regulatory model, offering some predictability for businesses operating across jurisdictions.
2026 Legislative Additons
In 2026, several additional states moved to adopt comprehensive consumer privacy frameworks, bringing the total number of enacted laws to 24. Alabama, Louisiana, Oklahoma, and Vermont have passed laws which build on the existing foundation in the U.S. and signal continued bipartisan support for consumer data protection measures across jurisdictions.
Although not all of these laws are yet effective, their passage reinforces the expectation that the U.S. will continue moving toward broader state-level privacy coverage in the near term.
The Original 20-State Baseline
Prior to these latest developments, the following 20 states had already finalized comprehensive privacy laws:
- California
- Virginia
- Colorado
- Connecticut
- Utah
- Iowa
- Indiana
- Tennessee
- Texas
- Florida
- Maryland
- Minnesota
- Montana
- Oregon
- Delaware
- New Hampshire
- New Jersey
- Kentucky
- Nebraska
- Rhode Island
These states form the core framework in the U.S., with most laws either already in force or scheduled to take effect between 2023 and 2026.
Dominant Legal Framework
Despite the growing number of new laws, most state privacy laws follow a highly structured and similar model.
Key characteristics of this framework include:
- Universal Opt-Out Mechanisms (UOOMs): Many states require businesses to recognize browser-based or device-level signals (e.g., Global Privacy Control) that communicate consumers’ opt-out preferences.
- Attorney General Enforcement: Enforcement authority is typically vested exclusively in state attorneys general, rather than private litigants.
- No Private Right of Action: As mentioned above, most state laws do not allow consumers themselves to bring lawsuits for alleged violations (with limited exceptions, such as data breach claims in California).
- Standardized Consumer Rights: Across jurisdictions, individuals are generally granted rights to:
- access their personal information
- delete their personal information
- correct inaccuracies in their personal information
- opt-out of certain processing (e.g., targeted advertising, sale of personal information)
This convergence around common legal requirements has created a de facto national standard, even in the absence of federal legislation.
Notable Differences Across the 24-State Landscape
While the overall structure is consistent, here are a few important state-by-state variations:
1. Applicability Thresholds
- Some state laws apply only to large businesses. For example, the Florida Digital Bill of Rights (FDBR) applies only to entities that meet all of the following criteria:
- Conduct business in Florida or produce products or services consumed by Florida residents.
- Collect personal data about consumers (or have someone collect it on their behalf).
- Earn more than $1 billion in global gross annual revenue.
- Meet at least one of these three additional conditions:
- derive 50% or more of global revenue from online advertising sales, including targeted advertising
- operate a consumer smart speaker with a voice-activated virtual assistant connected to cloud computing
- operate an app store or digital distribution platform offering at least 250,000 software applications
- In practical terms, this means the FDBR targets big tech companies.
- In addition, the Florida Information Protection Act (FIPA)—which focuses on data security and breach notification rather than comprehensive consumer privacy rights—applies to most Florida businesses.
- Other state laws have lower thresholds, pulling smaller companies into scope.
- A few states impose no minimum thresholds, expanding applicability significantly.
2. Scope of Sensitive Personal Information (SPI) Restrictions
- Most states require a business to obtain a consumer’s affirmative permission before collecting or using their SPI.
- Some states impose stricter limitations or outright prohibitions on specific uses of SPI.
3. Nuances in Enforcement
- Cure periods vary (typically 30–60 days).
- Enforcement activity is increasing, with regulators/enforcement agencies becoming more proactive.
4. Technical Compliance Requirements
- Differences in UOOM recognition requirements.
- Variation in requirements for data protection assessments and profiling-related disclosures.
5. Business-to-business and Employee Data Exemptions
- The California Consumer Privacy Act is the only state law with no B2B or employee data exemption.
- Every other comprehensive state privacy law generally includes exemptions for:
- individuals acting in a commercial (B2B) context, and
- individuals acting in an employment/HR context.
- These laws typically exclude such data from the definition of protected “consumer” data.
Implications for Federal Legislation
The widespread adoption of this largely uniform framework is being closely monitored by national business coalitions and policymakers.
The consistency in state laws might serve as the foundation for future federal privacy legislation, as legislators look to harmonize state requirements while preserving core consumer protections. However, until such legislation is enacted, businesses must continue to navigate the state-by-state patchwork.
What This Means for Businesses
With the expansion to 24 state laws, organizations should:
- Update their compliance programs to account for the newly enacted laws or adopt a harmonized, nationwide approach aligned with the common principles in these laws.
- Monitor effective dates of these laws and associated rulemaking proceedings.
- Implement scalable technical solutions (e.g., UOOM recognition).
- Review contracts with customers, vendors, and service providers in light of all applicable laws and regulations.
Conclusion
The expansion from 20 to 24 state privacy laws in 2026 underscores the continued importance and greater awareness of individual privacy rights. While this expansion increases complexity, the consistency in these laws offers a clearer path to compliance.
Absent Congressional action, this trend is likely to continue. Proactive and adaptable privacy governance is essential.
