There is a particular kind of compliance fatigue that comes from watching a patchwork grow with no federal resolution in sight. In 2026, that fatigue is justified. Twenty states now have comprehensive consumer privacy laws in effect, Congress has not passed a preemptive federal standard, and — the part that changes the calculus — regulators have moved decisively from issuing guidance to writing checks. The era of “the law exists but nobody enforces it” is over.

This article is the consolidated map: who is in effect, what is new in 2026, where enforcement is actually landing, and how to run a program across twenty regimes without building twenty programs.

The 2026 additions

Three new comprehensive laws came online in 2026, all built on the Virginia model that has become the de facto template for the second wave of state privacy statutes:

  • Indiana (SB 5)
  • Kentucky (HB 15)
  • Rhode Island (HB 7787 / SB 2500)

All three track the familiar Virginia framework — consumer rights to access, correct, delete, and port; opt-outs for targeted advertising, sale, and profiling; data protection assessments for high-risk processing; and AG-only enforcement. But Rhode Island is the one to watch, because its applicability thresholds are notably lower than its peers’. Many of these laws apply only above 100,000 residents’ data (or 25,000 plus a revenue-from-sale trigger). Rhode Island’s lower bar pulls smaller businesses into scope that would escape coverage in neighboring states — a reminder that “we’re too small for state privacy law” is an assumption that has to be re-checked state by state.

Alongside the new laws, California, Colorado, Connecticut, Oregon, and Utah implemented amendments to their existing statutes in 2026 — expanding sensitive-data categories, tightening opt-out mechanics, and in California’s case layering on new requirements around automated decision-making and risk assessments. The laws you complied with in 2024 are not the laws you must comply with in 2026.

The universal opt-out reality

If there is one technical requirement that ties the patchwork together, it is the universal opt-out mechanism (UOOM) — the obligation to honor browser-level and device-level opt-out signals like Global Privacy Control automatically, without requiring the consumer to click through your own interface.

A growing majority of the comprehensive-law states now mandate recognition of these signals. This is not optional UX polish; it is a hard requirement, and — crucially — it is the requirement regulators have found easiest to test. An enforcer does not need to subpoena your data practices to check whether your site honors a GPC signal. They can load your page with the signal enabled and watch what happens. That testability is precisely why opt-out failures have become the leading enforcement theme.

Enforcement stopped being theoretical

For years the standard caveat on every state-privacy article was that enforcement was light. That caveat is now retired. California, which has both the Attorney General and the dedicated California Privacy Protection Agency (CPPA) as enforcers, has been setting the pace:

  • A $2.75 million settlement announced in February 2026 with Disney entities tied to its streaming ecosystem — the largest CCPA settlement to date — over alleged failures in honoring consumer opt-out rights.
  • A $1.4 million settlement with a mobile gaming company in late 2025.
  • A March 2026 settlement (PlayOn Sports) that established an important principle: prior remediation is no longer a penalty shield. Fixing the problem after you are caught no longer buys you out of a fine the way the CCPA’s old cure period once did.

Two patterns run through all of it. First, opt-out failures dominate. The recurring allegation is that consumers could not fully and easily exercise their right to opt out of the sale or sharing of personal information — broken Global Privacy Control handling, opt-out flows that didn’t propagate to downstream partners, dark patterns in the consent interface. Second, the cure period is closing. California’s statutory right to cure violations before enforcement sunset, and regulators have made clear that after-the-fact fixes do not erase liability. The strategic implication is blunt: you cannot wait for a complaint and then fix it. The fix has to precede the scrutiny.

And California is not alone. Texas has stood up an active privacy enforcement operation under its Data Privacy and Security Act, Connecticut’s AG has been issuing cure notices and following up, and the multi-million-dollar penalty is now established precedent rather than a hypothetical ceiling.

How to run one program across twenty regimes

The mistake is to treat twenty laws as twenty projects. They are not. Beneath the variation, the second-wave laws share enough DNA that a well-designed program built to the strictest common denominator covers most of the field. Practical approach:

  1. Build to the high-water mark, apply everywhere. Engineer your consumer-rights workflows, opt-out handling, and data-protection assessments to the strictest state in each category — generally California — and deploy them nationally. Maintaining separate weaker flows for weaker states costs more than it saves and creates the inconsistencies regulators notice.
  2. Make universal opt-out signals work, and prove it. Honoring Global Privacy Control across web and, where required, app surfaces is the single highest-leverage control. Test it the way an enforcer would: load your properties with the signal on and confirm sale/share actually stops, including at downstream ad partners.
  3. Re-check applicability against the lowest thresholds. Rhode Island’s lower bar — and the under-100,000 reach of laws like Texas’s (which keys to “doing business” rather than a hard count) — means coverage questions cannot be answered once and filed away.
  4. Refresh data protection assessments for the 2026 amendments. California, Colorado, and others expanded what triggers an assessment, particularly around profiling and automated decision-making. Yesterday’s DPAs may no longer be sufficient.
  5. Assume no cure period. Design and ship compliance ahead of scrutiny. The “fix it when caught” posture is now an affirmatively losing strategy in California, and others are following.
  6. Watch the laws that break the template. New York’s Health Information Privacy Act and Massachusetts’s private-right-of-action bill are not Virginia clones. The patchwork is not just growing — it is diversifying, and the new entrants carry sharper teeth.

The federal question, unanswered

The obvious fix — a single preemptive federal privacy law — remains stuck, and the politics that have blocked it for a decade (the fight over private rights of action and state-law preemption) are no closer to resolution. Some federal proposals would preempt the state patchwork entirely; none have advanced. The rational planning assumption for 2026 and beyond is that the patchwork is the permanent operating environment, not a temporary state of affairs to be waited out.

Twenty states, escalating penalties, a closing cure window, and new laws that abandon the safe AG-only model. The compliance fatigue is real — but the cost of treating any of it as theoretical just went up by several million dollars.

This article is provided for informational purposes only and does not constitute legal advice.