In 2025 alone, reported fines and penalties against US-based companies reached an estimated $1.4 billion. The California Privacy Protection Agency recorded its largest-ever settlement — $1.35 million against Tractor Supply Company — then broke that record in February 2026 with a $2.75 million settlement against a streaming company for opt-out failures. Texas secured a settlement of over $1 billion against a major technology company under the Texas Data Privacy and Security Act. Connecticut reached an $85,000 settlement with a ticket seller over an unreadable privacy notice and broken opt-out mechanisms. This is no longer a theoretical risk. It is an operational risk, and it is accelerating.

TL;DR

• As of 2026, 19 states have comprehensive consumer privacy laws in effect, with Indiana, Kentucky, and Rhode Island joining on January 1.
• Enforcement is intensifying across California, Texas, Connecticut, and others — with multi-million dollar penalties now established as precedent.
• Businesses operating in multiple states must treat compliance as an ongoing operational function, not a one-time legal exercise.

Do I Need to Act? A Quick Assessment

Before working through the state-by-state tracker below, use this decision logic to establish your baseline priority level.

You are in the High Priority category if your business operates in California, Texas, or Connecticut — all three have active enforcement programmes and recent settlements — or if you process personal data of more than 100,000 consumers across any state with an active comprehensive law, or if more than 50% of your gross revenue comes from the sale of personal data. If you collect health, biometric, geolocation, financial, or children's data in any covered state, this applies regardless of volume. The cure periods that once gave businesses a window to remedy violations without penalty are disappearing: California and Colorado no longer provide them, and Rhode Island's new law launched without one.

You are in the Medium Priority category if you operate nationally or across multiple states, collect personal data as part of your product or service, and your current compliance programme was built primarily around GDPR or an older CCPA interpretation. The multi-state patchwork — with diverging definitions, thresholds, and consumer rights requirements — means a GDPR-compliant programme is necessary but not sufficient for US operations. Consent mechanics that satisfy European opt-in requirements may still fail on US opt-out obligations. Understanding what CCPA and CPRA actually require operationally, and how those requirements have evolved in 2026, is the starting point for any US compliance audit.

You are in the Monitor category if you are a small business operating in a single state with a high applicability threshold (Indiana and Kentucky both require processing data of at least 100,000 consumers, or 25,000 consumers while deriving over 50% of revenue from data sales), or if your business is covered under sectoral exemptions such as HIPAA or the Gramm-Leach-Bliley Act. Monitor does not mean ignore. Enforcement patterns in leading states tend to migrate: what California enforces today sets expectations that other AGs will apply tomorrow.

The US Privacy Law Landscape in 2026

For the first time in five years, 2025 saw no new comprehensive state privacy legislation enacted. That is not a sign of regulatory retreat — it is a sign of maturation. States that passed laws between 2021 and 2024 are now enforcing them with increasing sophistication. The era of grace periods, cure windows, and first-offender leniency is closing. Regulators have built institutional knowledge. Enforcement teams are larger, better resourced, and increasingly coordinated.

A bipartisan Consortium of Privacy Regulators now formally connects state privacy authorities across the country to share enforcement intelligence, investigative strategies, and compliance expectations. When California's CPPA runs an investigative sweep — as it did in 2024 targeting streaming services — the resulting settlements become operational guidance that every AG in the consortium can draw on. The absence of a federal privacy law makes this inter-state coordination more significant, not less. Businesses cannot rely on federal preemption to simplify their compliance obligations. They must manage the patchwork directly.

The January 1, 2026 effective dates for California's automated decision-making technology (ADMT) regulations, cybersecurity audit requirements, and risk assessment obligations compound this pressure for businesses with California exposure. These are not reporting formalities — they are substantive operational requirements. California now joins Colorado in mandating detailed documentation of how automated decision-making affects consumers, creating new evidence obligations for any company using algorithmic profiling, personalisation engines, or AI-driven decision tools. Understanding how the US state privacy law map applies to marketing and data teams has become urgent in a way it was not two years ago.

State-by-State Enforcement Tracker

California — Enforcement Status: Active and Escalating

California operates the most enforcement-intensive privacy regime in the United States. The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), applies to for-profit businesses that meet any of the following thresholds: annual gross revenue exceeding $26.6 million (the 2025–2026 inflation-adjusted figure), processing personal data of 100,000 or more California residents or households annually, or deriving 50% or more of annual revenue from selling or sharing personal information.

The CPPA has hundreds of investigations in progress as of early 2026, with target businesses often unaware they are under scrutiny. Every public enforcement action to date has involved the right to opt out in some form — broken "Do Not Sell" links, failure to honour Global Privacy Control (GPC) signals, asymmetric consent interfaces that make opting out harder than opting in. The California Delete Act's DROP platform launched on January 1, 2026, imposing compounding daily fines of $200 per unfulfilled deletion request for registered data brokers beginning January 31, 2026. New ADMT and cybersecurity audit requirements are now operative. Any business relying on a CCPA programme built before 2024 is almost certainly operating with gaps. The current penalty structure reaches $7,988 per intentional violation under CPRA, and the CPPA has confirmed it can investigate conduct dating back to January 1, 2020.

Texas — Enforcement Status: Actively Enforced, Large-Scale Targets

Texas entered enforcement under the Texas Data Privacy and Security Act (TDPSA), which took effect July 1, 2024, with a signal that it intends to pursue significant penalties against large actors. The over $1 billion settlement with a major technology company in 2025 established Texas as a jurisdiction with real enforcement teeth. The TDPSA covers businesses that operate in Texas or target Texas residents, without the revenue or volume thresholds that exempt smaller businesses under California's model — which means applicability is broader, not narrower. Businesses must honour universal opt-out mechanisms, obtain opt-in consent for processing sensitive data, and conduct Data Protection Impact Assessments for targeted advertising, data sales, and profiling. The Texas AG has exclusive enforcement authority with no private right of action, but the settlement record indicates the AG's office will pursue matters at scale.

Connecticut — Enforcement Status: Active

Connecticut's AG settled its first action under the Connecticut Data Privacy Act (CTDPA) for $85,000 in 2025, with the violations centring on a privacy notice that was described as "largely unreadable," absent consumer rights disclosures, and inoperable opt-out mechanisms. Critically, the AG had previously issued a deficiency notice that the company failed to adequately address — a pattern regulators will use to demonstrate wilfulness and justify higher penalties in future matters. Connecticut's law was amended with effective dates in 2026, adding expanded sensitive data definitions and enhanced protections for minors under 16. The cure period under Connecticut's law — already limited — is narrowing, and the AG's office has signalled it will not treat technical opt-out failures as good-faith oversights.

Colorado — Enforcement Status: Active

Colorado's Privacy Act (CPA) is one of the most operationally demanding state laws in effect. It requires businesses to honour universal opt-out mechanisms, conduct DPIAs for high-risk processing, and now produce detailed risk assessment documentation that diverges materially from California's ADMT regime — meaning businesses cannot produce a single assessment document that satisfies both states. Colorado has no cure period and no private right of action, with the AG having exclusive enforcement authority. The CCPA and CPRA opt-out and consent mechanics differ from Colorado's requirements in ways that trip up compliance teams who build a single national consent framework without jurisdiction-aware configuration.

Virginia — Enforcement Status: Active

The Virginia Consumer Data Protection Act (VCDPA) remains in force with the AG holding exclusive enforcement authority. Virginia uses an opt-in model for sensitive data — racial or ethnic origin, religious beliefs, mental or physical health, sexual orientation, citizenship or immigration status, genetic data, biometric data, and children's data all require affirmative consent before processing. The VCDPA has a 30-day cure period, but Virginia's amendments effective in 2026 have tightened definitions and added youth protections. The Virginia model has become a legislative template — its structure is substantially replicated in Kentucky, Indiana, and several other state laws, which means building a VCDPA-compliant programme provides a meaningful compliance foundation for the newer state laws.

Indiana — Enforcement Status: Active as of January 1, 2026

The Indiana Consumer Data Protection Act (ICDPA) applies to businesses that control or process data of at least 100,000 Indiana consumers, or 25,000 consumers while deriving over 50% of gross revenue from data sales. Consumer rights under the ICDPA mirror the Virginia model: access, correction, deletion, portability, and opt-out from targeted advertising, data sales, and profiling. Opt-in consent is required for sensitive data processing. The Indiana AG has sole enforcement authority with a permanent 30-day cure window — violations carry civil penalties up to $7,500 per violation. Businesses with Indiana operations that may have assumed the law had not yet reached them should treat the January 1, 2026 effective date as a compliance deadline that has already passed.

Kentucky — Enforcement Status: Active as of January 1, 2026

The Kentucky Consumer Data Protection Act (KCDPA) mirrors the Virginia framework closely and applies under the same thresholds as Indiana: 100,000 consumers or 25,000 consumers with data-sale revenue exceeding 50% of gross revenue. It includes exemptions for HIPAA-covered entities and financial institutions governed by the Gramm-Leach-Bliley Act, as well as non-profits and higher education institutions. The Kentucky AG enforces without a private right of action, with a 30-day cure period and penalties up to $7,500 per violation. Data minimisation and purpose limitation are central obligations — organisations must limit collection to what is adequate, relevant, and reasonably necessary for disclosed purposes.

Rhode Island — Enforcement Status: Active as of January 1, 2026, No Cure Period

Rhode Island's Data Transparency and Privacy Protection Act (RIDTPPA) has a lower applicability threshold than Indiana or Kentucky: businesses controlling or processing data of 35,000 or more Rhode Island consumers, or 10,000 or more consumers while deriving over 20% of gross revenue from data sales, are covered. What distinguishes Rhode Island from most other state laws is its requirement that businesses specifically disclose the third parties with whom personal data is shared — not just categories of recipients, but named parties. That level of transparency demands a well-maintained data inventory and vendor registry. There is no cure period: the Rhode Island AG can pursue violations immediately, with penalties up to $10,000 per violation.

Other Active and Emerging States

Oregon amended its privacy law effective January 1, 2026 with stricter controls on precise geolocation data and minors' data. New Jersey's law, which became effective in 2024, has moved past its initial grace period into active enforcement discretion. Maryland's Online Data Privacy Act took effect in October 2025 with some of the most restrictive data minimisation requirements of any state law. Minnesota, Nebraska, New Hampshire, and Delaware all have laws now in effect. Each introduces its own definitional nuances, threshold variations, and enforcement mechanisms that a multi-state compliance programme must account for individually.

2026 Enforcement Trends: What Regulators Are Targeting

The enforcement actions of 2024 and 2025 are not random — they reveal a consistent set of operational failures that regulators are systematically pursuing.

Opt-out failures are the single most consistent trigger. Every California AG enforcement action has involved some failure to honour consumer opt-out rights — broken links, non-functional webforms, failure to recognise Global Privacy Control signals, or interfaces that made opting out disproportionately difficult compared to opting in. Honda's $632,500 settlement and Tractor Supply's $1.35 million settlement both centred on these failures. Implementing opt-out mechanisms is not enough — they must function correctly, respond to automated signals like GPC, and be tested regularly.

Health and sensitive data handling is a priority target for regulators at both state and federal level. Healthline Media's $1.5 million settlement arose from failure to honour GPC and misuse of health-related data for advertising purposes. Blue Shield of California triggered an investigation after misconfigured analytics tools shared health data affecting 4.7 million members. Any business operating in health, wellness, or adjacent digital spaces should treat sensitive data handling as a first-priority compliance area.

Vendor contract failures are increasingly prominent. Tractor Supply's enforcement order specifically cited insufficient service provider agreements and absence of required contractual provisions with advertising technology companies. The CPPA requires that every contract with a service provider or contractor processing personal information on your behalf include CCPA-mandated provisions — and auditing those contracts against current legal requirements has become a standalone compliance task. Managing vendor relationships at scale requires systematic approaches to data protection assessments and vendor risk documentation that spreadsheets cannot support.

Minors' data is an expanding frontier. Multiple states have moved to define minors as individuals under 18 — up from 13 — and are requiring enhanced consent, age verification, and design standards for services that may be accessed by younger users. Florida and Tennessee have enacted age-verification requirements for high-risk digital services. Texas and Virginia have strengthened youth protections in 2026 amendments. Any product or service with plausible minor-user populations needs a specific compliance review of these requirements.

Compliance Checklist for US Companies in 2026

Getting your house in order across nineteen state laws sounds paralysing. In practice, a structured approach to five core areas covers the majority of exposure.

Data mapping is the foundation. You cannot comply with access rights, deletion requests, opt-out mechanisms, or Data Protection Impact Assessments without knowing what personal data you collect, where it flows, under what legal basis, and which vendors have access to it. This is not a one-time exercise — it must stay current as your product and vendor stack evolves. Stale data maps are as dangerous as having none at all.

Consent and opt-out infrastructure must be jurisdiction-aware. California requires you to honour GPC signals. Twelve states now require honouring universal opt-out mechanisms as a de facto national standard. Sensitive data processing requires opt-in consent across Virginia, Connecticut, Colorado, Indiana, Kentucky, and Rhode Island. A single static consent banner cannot serve all these requirements simultaneously — geo-detection and jurisdiction-specific configuration are operational necessities, not nice-to-haves.

Privacy notices must be specific, readable, and accurate. Connecticut's enforcement action against an illegible notice and Connecticut's AG's emphasis on operational opt-out mechanisms being both present and functional should be treated as a universal standard. Privacy notices must list categories of data collected, disclosed, and sold; identify named or categorised third parties; explain consumer rights; and describe how those rights can be exercised. The CCPA privacy policy requirements that California enforces in 2026 — including specific retention periods and sensitive data disclosures — have become the benchmark standard for what a legally defensible US privacy notice looks like.

Consumer rights fulfilment requires documented, tested workflows. Access, deletion, correction, portability, and opt-out requests must be fulfilled within mandated timeframes — typically 45 days under CCPA and 30 days under Virginia-model laws. The intake, identity verification, data retrieval, redaction, and response steps must be documented and testable, not handled ad hoc.

Vendor and service provider agreements must be audited against current legal requirements in each state. CCPA mandates specific contractual provisions in every service provider agreement. Virginia, Colorado, Connecticut, and the newer state laws require data processing agreements with mandatory terms. Rhode Island requires specific third-party disclosures. If your vendor contracts were last reviewed in 2022 or 2023, assume they need updating.

The Common Mistakes That Generate Enforcement Risk

Assuming GDPR compliance is sufficient is the most widespread error among businesses with international operations. GDPR's opt-in model for consent is more stringent than CCPA's opt-out approach in some ways, but CCPA's specific requirements — opt-out links, GPC signal recognition, specific privacy notice categories, service provider contract provisions — are operationally distinct and not automatically satisfied by a GDPR-compliant program. Businesses discover this gap when they receive a cure notice from a state AG.

Ignoring smaller or newer state laws until they generate enforcement headlines is a systemic risk. Indiana, Kentucky, and Rhode Island were enacted in 2023 and 2024 — businesses with national footprints had two to three years to prepare. The January 1, 2026 effective date was not a surprise. Maryland, Minnesota, and New Hampshire have active laws that receive less coverage than California but carry real enforcement exposure for covered businesses.

Treating consent and opt-out as website features rather than operational infrastructure is a pattern in multiple settled enforcement actions. Cookie banners that load tracking technologies before consent is registered, opt-out forms that route to dead webforms, GPC signals that are detected but not actioned — these are technical failures that regulators identify through automated scans, consumer complaints, and investigative sweeps. They are preventable with the right infrastructure, not with policy documents.

Maintaining manual compliance processes at scale creates documentation gaps that become enforcement vulnerabilities. A business handling data subject requests by email, tracking vendor contracts in spreadsheets, and running DPIAs through shared document templates will struggle to produce the evidence of accountability that regulators now expect. The CPPA explicitly noted in its Tractor Supply enforcement that compliance must be demonstrable, not merely declared. A privacy governance program built on structured workflows and audit-ready documentation is what separates organisations that survive regulatory scrutiny from those that become the next case study.

Operationalising Multi-State Compliance

The practical challenge of multi-state compliance is not legal — it is operational. Most legal teams understand what the laws require. The problem is translating those requirements into systems, workflows, and evidence that function across nineteen state regimes simultaneously.

The starting point is a unified data inventory that maps personal data flows across your entire organisation and vendor stack, annotated with applicable state laws, legal bases, and retention schedules. From this foundation, every other compliance function — DSARs, DPIAs, consent management, vendor risk, incident response — draws its inputs. Without it, every compliance function operates on incomplete information.

Consent management infrastructure must support jurisdiction-aware configuration, automatically serving the appropriate consent mechanism to users based on their location. A California resident must see an opt-out link and have GPC signals honoured. A user in a Virginia-model state must see an opt-in gate for sensitive data processing. These are not interchangeable. The technical implementation of consent management is now a compliance function as much as a product feature.

Consumer rights workflows must be structured, documented, and measurably performing within mandated timeframes. This means automated intake systems, identity verification protocols, connected data retrieval across all processing systems, and completion tracking — not email inboxes and shared task lists. The CPPA's scrutiny of opt-out mechanism functionality, and the Connecticut AG's finding of "inoperable" mechanisms, signal that regulators are testing whether these systems actually work, not whether businesses claim to have them.

Vendor risk management at the scale required in 2026 demands systematic processes. Every service provider agreement must be reviewed against the applicable state laws' contractual requirements, tracked for currency, and updated when processing activities change or laws are amended. Automated vendor assessment questionnaires, contract analysis, and compliance tracking are how organisations with large SaaS stacks stay ahead of this obligation.

FAQ

Which states have comprehensive privacy laws in 2026?

Nineteen states have active comprehensive consumer privacy laws as of 2026: California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia.

Do small businesses need to comply?

It depends on the state. California, Texas, and most Virginia-model laws set applicability thresholds based on volume of data processed or revenue from data sales. However, Texas's TDPSA applies without revenue or volume thresholds to any business that conducts business in Texas or targets Texas residents — making small business exemptions narrower than in other states. Sensitive data processing or involvement with minors' data can trigger obligations regardless of business size in some states.

What triggers applicability?

The most common triggers are processing personal data of 100,000 or more consumers in a given state; processing data of 25,000 or more consumers while deriving over 50% of gross revenue from data sales; annual gross revenue thresholds (California); or operating in states like Texas that apply no revenue or volume minimum.

How do companies manage multi-state compliance?

The most effective approach is to build to the strictest common standard — typically California's — and supplement with jurisdiction-specific configurations for states with distinct requirements. Centrally managed consent infrastructure, unified data inventories, automated DSAR workflows, and standardised vendor assessment processes are the operational building blocks. Jurisdiction-aware automation is no longer optional at scale.

What happens if you don't comply?

Penalties range from $7,500 per violation under Indiana, Kentucky, and Virginia-model laws to $10,000 per violation in Rhode Island. California's CCPA/CPRA regime carries up to $7,988 per intentional violation, assessed on a per-violation basis — meaning a single compliance gap affecting thousands of consumers can compound rapidly. Beyond financial penalties, enforcement orders typically require extensive corrective action, operational reporting to the AG, and ongoing compliance monitoring — all of which carry indirect costs that often exceed the initial fine.

The patchwork is not getting simpler. The enforcement is not getting lighter. And the expectation that your compliance programme can be documented in a spreadsheet and reviewed annually no longer survives contact with a state AG's investigative team. If your current programme was built for a different era of US privacy enforcement, this is the year to rebuild it for the one you are actually in.

Stop managing multi-state privacy compliance reactively. See how Secure Privacy's consent management platform helps companies automate jurisdiction-aware compliance across US state privacy laws and beyond.