With no federal privacy law in sight, states are taking matters into their own hands. As of April 2026, 22 states have enacted comprehensive data privacy legislation. Here's what you need to know.
States with Active Privacy Laws
California (CCPA/CPRA), Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Texas, Oregon, Delaware, New Hampshire, New Jersey, Maryland, Minnesota, Nebraska, Kentucky, Rhode Island, Vermont, Pennsylvania, and Illinois.
Common Rights Across States
- Right to know what data is collected about you
- Right to delete your personal data
- Right to opt out of data sales
- Right to correct inaccurate information
- Right to data portability
For Businesses
If you operate online and serve customers in multiple states, you effectively need to comply with the strictest law (California). Implement a universal privacy policy, honor opt-out requests regardless of state, and maintain data inventory records.
The patchwork of state laws is intentionally designed to pressure Congress into passing a federal standard. Until that happens, compliance is complex but necessary.
