← Back to Blog

US State Privacy Laws in 2026 — The Complete List

All 19 active US state privacy laws as of 2026, what they require, and which ones apply to your e-commerce business.

2026-02-15

The Privacy Law Landscape in 2026

The US doesn't have a single federal privacy law (yet), but 19 states have now passed comprehensive privacy legislation. If you sell online, you almost certainly have customers in several of these states.

The good news: most of these laws share common requirements. Get the basics right, and you're largely covered across all of them.

Active State Privacy Laws

Here's every active US state privacy law as of early 2026:

  • California (CCPA/CPRA) — The most comprehensive. Applies to businesses with $25M+ revenue, 100K+ consumers' data, or 50%+ revenue from data sales.
  • Virginia (VCDPA) — Applies to businesses controlling data of 100K+ consumers or 25K+ consumers if 50%+ revenue from data sales.
  • Colorado (CPA) — Similar thresholds to Virginia. Requires universal opt-out mechanism.
  • Connecticut (CTDPA) — Mirrors Virginia closely.
  • Utah (UCPA) — Business-friendly. Higher revenue threshold ($25M+).
  • Texas (TDPSA) — No revenue threshold — applies to nearly all businesses with Texas customers.
  • Oregon (OCPA) — Applies to businesses controlling data of 100K+ consumers or 25K+ if revenue from data sales.
  • Montana (MCDPA) — Smaller state, lower thresholds (50K+ consumers).
  • Delaware (DPDPA) — Effective 2025. Applies to businesses with 35K+ consumers' data.
  • Iowa (ICDPA) — Effective 2025. Narrower scope, focused on data sales.
  • New Jersey (NJDPA) — Effective 2025. Applies to businesses with 100K+ consumers' data.
  • New Hampshire (NHPA) — Effective 2025. Mirrors Connecticut.
  • Nebraska (NDPA) — Effective 2025. Applies broadly.
  • Tennessee (TIPA) — Effective 2025. Revenue threshold of $25M+.
  • Minnesota (MCDPA) — Effective 2025. Strong consumer rights provisions.
  • Maryland (MODPA) — Effective 2025. Strict data minimization requirements.
  • Indiana (INCDPA) — Effective 2026. Mirrors Virginia.
  • Kentucky (KCDPA) — Effective 2026. Mirrors Virginia.
  • Rhode Island (RIDPA) — Effective 2026.

Common Requirements Across All Laws

Despite their differences, nearly every state law requires:

  • A clear, accessible privacy policy disclosing data practices
  • A mechanism for consumers to opt out of data sales/targeted advertising
  • The ability to access, delete, and correct personal data upon request
  • Reasonable security measures to protect personal data
  • Data processing agreements with third-party vendors

What This Means for E-Commerce

If you run an online store, you almost certainly need:

  • A privacy policy — not a generic template, but one that reflects your actual data practices
  • A cookie consent banner — that actually blocks non-essential tracking until consent is given
  • A "Do Not Sell" link — required in most states if you use advertising trackers
  • A process for handling consumer requests — even a simple email workflow counts

Where to Start

The fastest way to assess your current compliance is to scan your website with a tool like ClearConsent. In 30 seconds, you'll see exactly which trackers, cookies, and privacy signals are present — and which state laws are most relevant to your business.

Ready to check your site's compliance?

ClearConsent scans your website against 21 privacy laws in under 60 seconds.

Scan Your Site Free