As of January 1, 2026, twenty U.S. states have active comprehensive consumer privacy laws. Indiana, Kentucky, and Rhode Island joined the enforcement landscape on New Yearโs Day, adding three new sets of applicability thresholds, consumer rights frameworks, and attorney general enforcement authorities to the compliance matrix that multi-state organizations must navigate.
The patchwork is no longer a future compliance problem. It is the current operating environment. And it is expanding.
This article maps every state currently enforcing a comprehensive privacy law, explains how their requirements differ, identifies the compliance gaps that multi-state organizations most commonly fail to close, and projects where the landscape is heading for the balance of 2026.
The Current 20-State Landscape
California โ California Consumer Privacy Act (CCPA) + California Privacy Rights Act (CPRA)
Enforcer: California Privacy Protection Agency (CPPA) + California Attorney General Penalty: Up to $7,500 per intentional violation; $2,500 per unintentional violation Cure period: None Applicability: Businesses with $25M+ revenue, OR 100,000+ consumersโ data, OR 50%+ revenue from data sales Key distinction: The most expansive rights framework; the only state with a dedicated independent privacy agency; includes employee and B2B data protections.
Virginia โ Consumer Data Protection Act (CDPA)
Enforcer: Virginia Attorney General Penalty: Up to $7,500 per violation Cure period: 30 days Applicability: 100,000+ consumers OR 25,000+ consumers with 50%+ revenue from data sales Key distinction: Template law that inspired most subsequent state legislation.
Colorado โ Colorado Privacy Act (CPA)
Enforcer: Colorado Attorney General Penalty: Up to $20,000 per violation Cure period: 60 days (through January 1, 2025, then discretionary) Applicability: 100,000+ consumers OR 25,000+ consumers with 25%+ revenue from data sales
Connecticut โ Connecticut Data Privacy Act (CTDPA)
Enforcer: Connecticut Attorney General Penalty: Up to $5,000 per violation Cure period: 60 days (through December 31, 2024, then discretionary) Applicability: 100,000+ consumers OR 25,000+ consumers with 25%+ revenue from data sales
Utah โ Utah Consumer Privacy Act (UCPA)
Enforcer: Utah Attorney General Penalty: Up to $7,500 per violation Cure period: 30 days (no sunset) Applicability: $25M+ revenue AND (100,000+ consumers OR 25,000+ consumers with 50%+ revenue from data sales) Key distinction: Most business-friendly state law; no data minimization requirement; broader exemptions.
Texas โ Texas Data Privacy and Security Act (TDPSA)
Enforcer: Texas Attorney General Penalty: Up to $7,500 per violation Cure period: 30 days Applicability: Processes data of Texas residents; does NOT have a revenue threshold โ applies to small businesses if they meet data volume thresholds
Florida โ Florida Digital Bill of Rights
Enforcer: Florida Department of Legal Affairs Penalty: Up to $50,000 per violation Cure period: 45 days Applicability: $1 billion+ global revenue; very narrow scope limits applicability to large enterprises Key distinction: Highest applicability threshold of any state law โ primarily affects large tech platforms.
Montana โ Montana Consumer Data Privacy Act (MCDPA)
Enforcer: Montana Attorney General Penalty: Up to $7,500 per violation Cure period: 60 days Applicability: 50,000+ consumers OR 25,000+ consumers with 25%+ revenue from data sales
Oregon โ Oregon Consumer Privacy Act (OCPA)
Enforcer: Oregon Attorney General Penalty: Up to $25,000 per violation Cure period: 30 days (through January 1, 2026, then discretionary) Applicability: 100,000+ consumers OR 25,000+ consumers with 25%+ revenue from data sales
Texas (enforcement note):** Texas was among the first states to actively use its attorney general enforcement authority, with Ken Paxtonโs office filing actions in 2024 and 2025 against multiple entities.
Delaware โ Delaware Personal Data Privacy Act (DPDPA)
Enforcer: Delaware Attorney General Penalty: Up to $10,000 per violation Cure period: 60 days Applicability: 35,000+ consumers OR 10,000+ consumers with 20%+ revenue from data sales
Iowa โ Iowa Consumer Data Protection Act
Enforcer: Iowa Attorney General Penalty: Up to $7,500 per violation Cure period: 90 days (longest cure period of any state) Applicability: 100,000+ consumers OR 25,000+ consumers with 50%+ revenue from data sales
Tennessee โ Tennessee Information Protection Act (TIPA)
Enforcer: Tennessee Attorney General Penalty: Up to $15,000 per violation (treble damages for willful violations) Cure period: 60 days Applicability: $25M+ revenue AND 175,000+ consumers OR 25,000+ consumers with 25%+ revenue from data sales
Maryland โ Maryland Online Data Privacy Act (MODPA)
Enforcer: Maryland Attorney General Penalty: Up to $10,000 first violation, $25,000 subsequent Cure period: 60 days Applicability: 35,000+ consumers OR 10,000+ consumers with 20%+ revenue from data sales Key distinction: Prohibits controllers from processing sensitive data unless strictly necessary โ stronger than most statesโ โopt-out for sensitive dataโ approach.
Minnesota โ Minnesota Consumer Data Privacy Act (MCDPA)
Enforcer: Minnesota Attorney General Penalty: Up to $7,500 per violation Cure period: 30 days Applicability: 100,000+ consumers OR 25,000+ consumers with 25%+ revenue from data sales Key distinction: Includes a right to question automated decision-making โ broader than most states.
Nebraska โ Nebraska Data Privacy Act (NDPA)
Enforcer: Nebraska Attorney General Penalty: Up to $7,500 per violation Cure period: 30 days Applicability: 100,000+ consumers OR 25,000+ consumers with 25%+ revenue from data sales
New Hampshire โ New Hampshire Privacy Act (NHPA)
Enforcer: New Hampshire Attorney General Penalty: Up to $10,000 per violation Cure period: 60 days Applicability: 35,000+ consumers OR 10,000+ consumers with 25%+ revenue from data sales
New Jersey โ New Jersey Data Privacy Act (NJDPA)
Enforcer: New Jersey Attorney General Penalty: Up to $10,000 first violation, $20,000 subsequent Cure period: 30 days Applicability: 100,000+ consumers OR 25,000+ consumers with 25%+ revenue from data sales
The Three New Laws: Indiana, Kentucky, Rhode Island
Indiana โ Indiana Consumer Data Protection Act (IN SB 5)
Enforcer: Indiana Attorney General Penalty: Up to $7,500 per violation Cure period: 30 days Applicability: 100,000+ consumers OR 25,000+ consumers with 50%+ revenue from data sales Effective: January 1, 2026
Indianaโs law closely follows the Virginia CDPA template. Controllers must provide privacy notices, respond to consumer rights requests (access, correction, deletion, portability, opt-out of targeted advertising and sale), conduct data protection assessments for high-risk processing, and maintain data processor agreements. The opt-out applies to sale of personal data, targeted advertising, and profiling.
Kentucky โ Kentucky Consumer Data Protection Act (KY HB 15)
Enforcer: Kentucky Attorney General Penalty: Up to $7,500 per violation Cure period: 30 days Applicability: 100,000+ consumers OR 25,000+ consumers with 50%+ revenue from data sales Effective: January 1, 2026
Kentucky also mirrors the Virginia framework. The lawโs requirements are substantially identical to Indianaโs โ both follow the CDPA template closely enough that organizations already compliant with Virginia will need primarily to add Kentucky and Indiana to their consumer rights response workflows, add the states to their data processing inventories, and update privacy notices to reflect coverage.
Rhode Island โ Rhode Island Data Transparency and Privacy Protection Act (RI HB 7787/SB 2500)
Enforcer: Rhode Island Attorney General Penalty: Up to $10,000 per violation Cure period: None โ Rhode Island provides no cure period Applicability: 35,000+ consumers OR 10,000+ consumers with 20%+ revenue from data sales Effective: January 1, 2026
Rhode Island is notably more aggressive than Indiana and Kentucky. The lower applicability thresholds โ 35,000 consumers versus the 100,000 floor in most states โ pull in a broader range of businesses. The absence of any cure period puts Rhode Island in the same tier as California: organizations that violate the law have no right to correct the violation before enforcement action. This significantly increases the compliance risk profile for businesses that process data of Rhode Island residents.
The Compliance Gaps Multi-State Organizations Most Commonly Miss
Across the 20-state landscape, several compliance failures appear consistently in organizations that believe they are compliant:
1. State-specific consumer rights request routing. Most organizations have implemented a single consumer rights request process modeled on California or Virginia requirements. But the rights vary across states โ Minnesota includes automated decision-making rights that most other states do not; Maryland requires processing restriction for sensitive data rather than just opt-out. A single-process approach produces compliance gaps for residents of states with expanded rights.
2. Cure period mismatch. Rhode Island and California provide no cure period. Coloradoโs is now discretionary. Organizations that have built remediation programs assuming a minimum 30-day cure window are exposed in these jurisdictions. The safe operating assumption is that no cure period is available.
3. Applicability threshold errors. The applicability thresholds differ materially across states. Rhode Islandโs 35,000-consumer threshold and Delawareโs 35,000-consumer threshold catch businesses that fall below Virginiaโs 100,000 threshold. Texas has no revenue threshold at all. Organizations that scoped their compliance programs using a single high threshold may be non-compliant in lower-threshold states.
4. Sensitive data processing gaps. Sensitive data definitions vary across states โ Minnesota and Maryland have expanded definitions. Processing restrictions on sensitive data range from opt-in consent requirements to outright prohibitions on non-necessary processing. Marylandโs requirement that sensitive data processing be โstrictly necessaryโ is meaningfully stronger than most statesโ frameworks.
5. Data protection assessment documentation. Most state laws require data protection assessments (DPAs) for high-risk processing activities โ targeted advertising, profiling, processing sensitive data, and similar uses. These assessments are often the compliance element most companies have documented inadequately. An AG investigation that requests DPA records and finds they do not exist is a significant exposure.
6. Processor agreement gaps. State laws require that contracts with data processors include specific provisions โ generally mirroring GDPR processor agreement requirements. Organizations using legacy vendor agreements that predate state privacy laws may have agreements that do not satisfy current requirements.
Enforcement to Watch in 2026
The state privacy enforcement landscape shifted meaningfully in 2025 and early 2026. Several developments compliance officers should track:
Texas is the most aggressive state AG. Ken Paxtonโs office filed multiple enforcement actions in 2024โ2025 and opened investigations into several categories of businesses. Texas is notable for having no revenue threshold โ applying to smaller businesses than most other states โ and for Paxtonโs explicit public statements about enforcement priorities.
Californiaโs CPPA is conducting formal investigations. The California Privacy Protection Agency has moved from rulemaking to active enforcement, with formal investigations opened against several major data brokers and technology companies. CPPA fines can reach $7,500 per intentional violation, and the agency can investigate without waiting for a consumer complaint.
Rhode Islandโs no-cure-period creates immediate enforcement risk. Unlike most states, Rhode Island can take enforcement action without giving businesses an opportunity to remediate. For organizations operating in Rhode Island, the margin for error is essentially zero.
Whatโs Coming: States to Watch for Remainder of 2026
The 20-state landscape will continue to expand. States with laws passed and scheduled for near-term enforcement:
- Michigan โ Comprehensive privacy bill advanced in legislature; expected to be among the next states to enact
- Pennsylvania, Illinois (additional) โ Active legislative sessions with privacy bills in committee
- Hawaii, Alaska, Maine โ Bills in various stages
The Manatt Health AI Policy Trackerโs count of 240 health-AI bills in 43 states in 2026 illustrates the broader legislative pace. Consumer privacy expansion is proceeding in parallel.
The 20-state compliance landscape requires a systematic, jurisdiction-mapped approach โ not a single-standard program applied uniformly. The differences in thresholds, rights, cure periods, and sensitive data definitions are material enough that gap analysis against each stateโs specific requirements is the only reliable compliance path.
Organizations that have implemented a Virginia-plus-California framework and assumed it satisfies all 20 states have likely under-built their program. The enforcement environment in 2026, with 20 active AGs with enforcement authority, makes that assumption increasingly costly to hold.
Sources: Koley Jessen State Privacy Analysis; TrustArc 2026 State Privacy Laws Guide; MultiState.us Comprehensive Privacy Law Tracker; IAPP New State Privacy Laws 2026; Pandectes Privacy Law Updates; Cozen OโConnor State Privacy Law Alert; Ketch US Privacy Laws 2026. This article is for informational purposes only and does not constitute legal advice.
