Updated April 2026

US State Privacy Laws 2026: What Your Organization Needs to Know Before Enforcement Begins

As of January 2026, 20 US states have comprehensive privacy laws on the books, each with different requirements, timelines, and enforcement mechanisms. Three new laws in Indiana, Kentucky, and Rhode Island took effect on January 1, joining an already complex patchwork of 17 existing state statutes.

No comprehensive federal privacy law is on the horizon. State attorneys general are shifting from education to enforcement. And if your organization operates across multiple states or entities, the compliance burden is multiplying fast.

This is your complete guide to what's changed, what's coming, and how to prepare.

See the Full 2026 Landscape Download the Comparison Matrix (PDF)

20: States with comprehensive privacy laws in 2026; MultiState, February 2026
3: New state laws effective January 1, 2026; IAPP US State Privacy Tracker
0: Federal privacy laws expected to preempt state action; Smith Anderson, January 2026

Trusted by 50+ privacy teams across 14 countries

Healthcare

Aviation

Energy

Legal

Technology

Why 2026 Is Different

Why 2026 Is the Year US Privacy Compliance Gets Exponentially Harder

The patchwork is no longer theoretical. Here are the forces converging to make multi-state privacy compliance a fundamentally different challenge than it was even two years ago.

19 to 20: States with comprehensive privacy laws in effect, 2026

The Patchwork Reached Critical Mass

In 2023, only five states had comprehensive privacy laws. As of January 2026, that number stands between 19 and 20, depending on how Florida's Digital Bill of Rights is categorized. Indiana, Kentucky, and Rhode Island all became effective on January 1, 2026, and Arkansas follows in July. Each law carries its own definitions, thresholds, consumer rights, and enforcement provisions.

Sources: IAPP US State Privacy Legislation Tracker (updated April 2026); Smarsh US Data Privacy Updates 2026; MultiState Insider, February 2026

0: Federal comprehensive privacy laws expected in the near term

No Federal Preemption Is Coming

There were no significant efforts in 2025 around the proposal or passage of federal comprehensive privacy legislation. Based on the priorities of the current administration, a federal standard remains unlikely in the near term. State attorneys general will continue to lead data privacy consumer protection, and organizations cannot wait for simplification that is not on the horizon.

Sources: Smith Anderson, "Data Privacy in 2026: State Enforcement Takes Center Stage," January 2026; Wolters Kluwer Privacy Insights, January 2026

$2.75M: Largest CPPA settlement as of early 2026

Enforcement Is Accelerating, Not Slowing

State attorneys general are no longer warming up. The California Privacy Protection Agency set a record $2.75 million settlement in February 2026, breaking its previous high of $1.35 million against Tractor Supply Company. Texas has emerged as an aggressive privacy enforcer, and enforcement activity across California, Texas, and Connecticut is intensifying with multi-million dollar penalties now established as precedent.

Sources: Secure Privacy US State Privacy Law Tracker, March 2026; Sidley Austin Data Matters Blog, 2026

120: Compliance obligations for 8 entities across 15 states

The Multi-Entity Math Is Brutal

A company with 8 subsidiaries operating in 15 states does not face 15 compliance obligations. It faces 120. Each entity must independently demonstrate compliance under each applicable state law: maintaining records of processing activities, conducting assessments, and responding to consumer rights requests. Most state laws define "controller" at the legal entity level, making group-level certification insufficient.

Illustrative calculation: 15 states x 8 entities = 120 distinct compliance obligations

9: Existing state privacy laws amended in 2025 alone

Laws Keep Changing After They Pass

Compliance is not a one-time exercise. Nine states with existing comprehensive privacy laws amended them in 2025. California finalized new rules on automated decision-making, cybersecurity audits, and risk assessments. Connecticut removed financial institution exemptions. Oregon strengthened geolocation and minors' data protections. Cure periods are expiring across multiple states, raising enforcement stakes significantly.

Sources: Smith Anderson, January 2026; Baker Donelson, January 2026; IAPP, January 2026

$0: Rhode Island's cure period for privacy violations

Reactive Compliance Is Becoming Unaffordable

Proactive compliance programs get more efficient over time as processes mature. Reactive compliance gets more expensive as regulatory volume increases. Rhode Island offers no cure period for violations, with penalties up to $10,000 each. Montana's cure period expires in April 2026. Organizations that build structured programs spend predictable amounts, while those scrambling after enforcement actions face costs that compound rapidly.

Sources: Koley Jessen, January 2026 (RI penalties); VeraSafe US Privacy Laws 2026; Compliance and Risks, March 2026

The IAPP US State Privacy Legislation Tracker monitors these developments in real time. For multi-entity organizations, tracking alone is not enough. You need a structured approach to operationalize compliance across every subsidiary and jurisdiction.

Download the 2026 US State Privacy Law Comparison Matrix

2026 Landscape

Every US State Privacy Law in Effect or Taking Effect in 2026

This table covers all comprehensive state privacy laws currently in effect, plus those becoming effective in 2026. Laws are listed by effective date. Applicability thresholds, enforcement models, and cure periods vary significantly — making a unified compliance approach essential for multi-entity organizations.

State	Law	Effective Date	Applicability Threshold	Cure Period	Enforcement	Max Penalty
California	CCPA / CPRA	Jan 1, 2020 / Jan 1, 2023	$25M+ revenue, 100K+ consumers, or 50%+ revenue from data sales	None (expired)	AG + CPPA	$7,500/violation
Virginia	VCDPA	Jan 1, 2023	100K+ consumers or 25K+ consumers with 50%+ revenue from data sales	30 days	AG only	$7,500/violation
Colorado	CPA	Jul 1, 2023	100K+ consumers or 25K+ consumers with revenue from data sales	60 days (expired Jan 2025)	AG only	$20,000/violation
Connecticut	CTDPA	Jul 1, 2023	100K+ consumers or 25K+ consumers with 25%+ revenue from data sales	60 days (expired Dec 2024)	AG only	$5,000/violation
Utah	UCPA	Dec 31, 2023	$25M+ revenue and 100K+ consumers or 50%+ revenue from data sales	30 days	AG only	$7,500/violation
Oregon	OCPA	Jul 1, 2024	100K+ consumers or 25K+ consumers with 25%+ revenue from data sales	30 days (expires Jul 2026)	AG only	$7,500/violation
Texas	TDPSA	Jul 1, 2024	Conducts business in TX or produces products/services consumed in TX; no revenue threshold	30 days	AG only	$7,500/violation
Montana	MCDPA	Oct 1, 2024	50K+ consumers or 25K+ consumers with 25%+ revenue from data sales	60 days (expires Apr 2026)	AG only	$7,500/violation
Delaware	DPDPA	Jan 1, 2025	35K+ consumers or 10K+ consumers with 20%+ revenue from data sales	60 days	AG only	$10,000/violation
Iowa	ICDPA	Jan 1, 2025	100K+ consumers or 50%+ revenue from data sales with 25K+ consumers	90 days	AG only	$7,500/violation
Nebraska	NDPA	Jan 1, 2025	Applies broadly to data controllers; no revenue or consumer count threshold	30 days	AG only	$7,500/violation
New Hampshire	NHPA	Jan 1, 2025	100K+ consumers or 25K+ consumers with 25%+ revenue from data sales	60 days	AG only	$10,000/violation
New Jersey	NJDPA	Jan 15, 2025	100K+ consumers or 25K+ consumers with revenue from data sales	30 days	AG only	$10,000/violation
Tennessee	TIPA	Jul 1, 2025	$25M+ revenue and 175K+ consumers or 25K+ consumers with 50%+ revenue from data sales	60 days	AG only	$7,500/violation
Minnesota	MCDPA	Jul 31, 2025	100K+ consumers or 25K+ consumers with 25%+ revenue from data sales	30 days	AG only	$7,500/violation
Maryland	MODPA	Oct 1, 2025	35K+ consumers or 10K+ consumers with 20%+ revenue from data sales	60 days (first 2 years)	AG only	$10,000/violation
Florida	FDBR	Jul 1, 2024	$1B+ revenue globally; specific criteria apply	45 days	AG + Dept. of Legal Affairs	$50,000/violation
Indiana	ICDPA	Jan 1, 2026	100K+ consumers or 25K+ consumers with 50%+ revenue from data sales	30 days	AG only	$7,500/violation
Kentucky	KCDPA	Jan 1, 2026	100K+ consumers or 25K+ consumers with 50%+ revenue from data sales	30 days	AG only	$7,500/violation
Rhode Island	RIDPA	Jan 1, 2026	35K+ consumers or 10K+ consumers with 20%+ revenue from data sales	None	AG only	$10,000/violation

Sources: IAPP US State Privacy Legislation Tracker (updated April 2026); MultiState Insider, February 2026; Smarsh US Data Privacy Updates 2026; Smith Anderson, January 2026. Florida's FDBR is sometimes excluded from comprehensive privacy law counts due to its narrow applicability threshold. Cure periods noted above reflect the current status — several states have sunset or are sunsetting their cure periods, increasing enforcement risk.

Looking ahead: Arkansas (SB 396) takes effect July 1, 2026. Multiple additional states including Georgia, Pennsylvania, and Wisconsin have active privacy bills in 2026 sessions.

Download the Full Comparison Matrix (PDF)

Customer Results

The numbers behind calmer compliance teams

200+: Hours saved on ISO 27001 preparation

Medtec saved 200+ hours preparing for ISO 27001. The typical certification process takes 6 to 12 months without dedicated tooling.

Medtec, verified customer result

60%: Less compliance admin time vs. legacy platforms

Aircraft manufacturer cut compliance admin time by 60% in their first 6 months, while enterprise privacy platforms like OneTrust can cost mid-to-high six figures annually.

Aircraft manufacturer, first 6 months on Priverion

3 mo.: Ahead of schedule on ISO 27001 readiness

Most organizations need 6 to 12 months for ISO 27001 certification. With Priverion's audit-ready evidence packages, teams compress that timeline significantly.

Based on ISO 27001 industry benchmarks (Vanta, ISMS.online, 2026)

Book a 30-min walkthrough

Priverion vs. OneTrust

Built for mid-market reality, not enterprise bloat

With GDPR fines exceeding EUR 7.1 billion and enforcement accelerating across Europe, you need a privacy platform that works for your team on day one. Not one that takes months to configure and costs six figures before you see value.

Source: DLA Piper GDPR Fines and Data Breach Survey, January 2026

Priverion

Purpose-built for multi-entity privacy programs

Swiss data sovereignty, guaranteed

Swiss-built and Swiss-hosted. All data processing stays within Swiss infrastructure, shielded from the US CLOUD Act and FISA Section 702. In a post-Schrems II landscape, this is not a marketing claim; it is a legal safeguard for cross-border data transfers.
Operational in weeks, not months

Aircraft manufacturer went from spreadsheet-based compliance to fully automated ROPA recertification in their first 6 months, cutting 60% of compliance admin time. No professional services engagement required to get started.

Aircraft manufacturer, first 6 months on platform
Predictable, transparent pricing

Priced by number of companies and organizational size. No per-user fees, no per-module expansion traps, no surprise annual increases. Your CFO will appreciate being able to budget without guesswork.
Group-wide compliance from one platform

ROPA management, DPIA/TIA automation, vendor risk assessments, DSR handling, incident management, and AI Register for EU AI Act readiness. All included, all connected, all visible from one DPO dashboard.
AI-assisted, human-decided

AI drafts DPIAs, scores risks, and maps regulatory requirements. Every output is reviewed before it becomes a compliance record. No customer data is ever used for model training. Transparency and control come first.
Deep integrations where it matters

Meaningful connections with HR, procurement, and IT asset management systems. Not 200 shallow connectors that create maintenance overhead. Focused depth over unfocused breadth.

OneTrust

Enterprise-scale platform with enterprise-scale complexity

US-headquartered, subject to US law

US-based providers remain subject to the CLOUD Act and FISA Section 702, which can compel data disclosure even for data stored in Europe. EU Member States formalized this concern in the November 2025 Berlin Declaration for European Digital Sovereignty.

Source: Berlin Declaration for European Digital Sovereignty, Nov 2025
Weeks of configuration before value

Mid-market users consistently report steep learning curves and extensive setup timelines. As one G2 reviewer noted, configuring workflows and mapping data took "several weeks" before the platform became functional. Smaller teams find the complexity particularly challenging.

Source: G2 and Capterra user reviews, 2025/2026
Opaque, modular pricing that escalates

No public pricing. Each module billed on its own metric. Implementation services for enterprise GRC platforms are typically billed separately on top of the software contract. OneTrust does not publish list prices. Per aggregated buyer-reported pricing data, mid-market deployments commonly range from the mid-five-figures up to low six-figures annually. Source: Vendr and Enzuzo aggregated buyer-reported pricing, accessed 2026-05-18.

Sources: Vendr market data (Feb 2026), Enzuzo pricing analysis (Mar 2026)
Breadth at the cost of focus

Five product lines spanning consent, privacy, GRC, ethics, and third-party risk. Powerful for Fortune 500 organizations with dedicated teams, but mid-market companies often pay for capabilities they never use. ESG, ethics hotlines, and cookie consent may not be what your DPO needs most.
AI governance expanding, but complex

AI Governance features launched in 2025 are well-regarded by analysts. However, adding AI modules means another pricing tier and another layer of configuration on top of an already complex platform.
Extensive integrations, extensive overhead

Connects with hundreds of systems including deep Microsoft integrations. Organizations frequently need dedicated teams to manage OneTrust implementations and ongoing maintenance.

Source: Capterra and G2 user reviews, 2025/2026

EUR 7.1B+: Cumulative GDPR fines since May 2018. Enforcement is accelerating, with EUR 1.2 billion issued in 2025 alone.; DLA Piper GDPR Fines and Data Breach Survey, January 2026

443/day: Average breach notifications received daily by European data protection authorities, a 22% year-over-year increase.; DLA Piper GDPR Fines and Data Breach Survey, January 2026

40%: Predicted share of major enterprises that will mandate data-sovereignty controls from their cloud providers by end of 2025.; Industry analyst forecast (TechClass, 2025)

A note on honesty

Priverion does not cover ESG, ethics hotlines, or cookie consent. We are not built for single-entity companies. If you are a Fortune 500 with 200+ integration requirements and dedicated compliance engineering teams, OneTrust may be the right fit. If you are a mid-market organization managing privacy across multiple subsidiaries and need to be operational in weeks with predictable costs, that is exactly what we built for.

Book a 30-min walkthrough

See how Aircraft manufacturer achieved 60% less compliance admin in 6 months

Free Guide

The 2026 US State Privacy Law Compliance Guide

19 to 20 states now have comprehensive privacy laws in effect, with enforcement intensifying across California, Texas, Connecticut, and beyond. Managing this patchwork across a multi-entity organization requires more than a spreadsheet. This guide breaks it down.

Inside the guide, you will find:

+ A state-by-state breakdown of all 2026 effective dates, cure periods, and enforcement thresholds for Indiana, Kentucky, Rhode Island, and amended laws in California, Oregon, and beyond
+ Key differences in applicability thresholds, from Rhode Island's low bar of 35,000 consumers to the Virginia-model 100,000-consumer standard used by Indiana and Kentucky
+ A practical compliance checklist covering risk assessments, privacy notices, opt-out mechanisms, and sensitive data consent requirements across multiple jurisdictions
+ Penalty ranges by state, including up to $7,500 per violation in Indiana and Kentucky and up to $10,000 per violation in Rhode Island, so you know where enforcement risk is highest

Data sourced from the IAPP US State Privacy Legislation Tracker (updated April 2026) and state attorney general enforcement records.

Get the free PDF

Your compliance team will thank you. Delivered straight to your inbox.

Free PDF. No demo required. We'll send it to your inbox.

Why this matters now:

State attorneys general are increasingly coordinating enforcement, and new California regulations for automated decision-making, risk assessments, and cybersecurity audits went into effect January 1, 2026. Waiting is the most expensive compliance strategy.

Stop managing compliance in spreadsheets

See what group-wide privacy management looks like when it actually works

Regulators have issued over 2,200 GDPR fines totalling approximately EUR 5.65 billion since 2018, with enforcement accelerating into mid-market and SME sectors.

Source: CMS GDPR Enforcement Tracker Report, March 2025

In 30 minutes, we will walk you through how organizations like Aircraft manufacturer cut compliance admin time by 60% in their first six months, and how automated ROPA recertification, AI-assisted DPIAs, and cross-entity data mapping can do the same for your team.

60%: Less compliance admin time