Twenty states now enforce comprehensive privacy laws

Overview

California passed the first comprehensive state privacy law in 2018. Eight years later, twenty states have followed, creating a regulatory patchwork that now covers roughly half the American population. Indiana, Kentucky, and Rhode Island's laws took effect January 1, 2026, joining a wave of amendments and enforcement actions that force every consumer-facing app to reckon with data collection practices.

The practical effect: companies can no longer treat privacy as a California-only compliance exercise. Universal opt-out signals are mandatory in twelve states. Data brokers face registration requirements, deletion mechanisms, and a California 'strike force' hunting non-compliance. Texas extracted $2.8 billion from Meta and Google in 2025 alone. The absence of federal legislation has created, paradoxically, a de facto national standard—most new state laws simply copy Virginia's template—while leaving companies to navigate jurisdiction-by-jurisdiction variations in sensitive data definitions, cure periods, and enforcement appetite.

Play on this story Voices Debate Predict

Key Indicators

States with Comprehensive Privacy Laws

Up from one state (California) in 2020, with more laws taking effect through 2026

States Requiring Universal Opt-Out Signals

Businesses must honor browser-based privacy signals like Global Privacy Control

$2.8B

Texas Privacy Settlements in 2025

$1.4 billion each from Meta and Google for biometric and location data violations

$7,500-$10,000

Per-Violation Penalty Range

State enforcement penalties vary; California fines now adjust automatically with inflation

Voices

Curated perspectives — historical figures and your fellow readers.

Ever wondered what historical figures would say about today's headlines?

Play

Exploring all sides of a story is often best achieved with Play.

Predict 4 ways this could play out. Contrarian picks score more — points lock when the scenario resolves. Log in to play

Timeline Five events from this story — drag them oldest to newest. Log in to play

Connections Sixteen names from the news. Find the four hidden groups of four. Log in to play

People Involved

Ken Paxton

Leading aggressive state-level privacy enforcement

Rob Bonta

Overseeing California's expanding privacy enforcement apparatus

Organizations Involved

California Privacy Protection Agency

State Regulatory Agency

Primary enforcer of California privacy law alongside state Attorney General

The first dedicated state privacy enforcement agency in the United States, created by California voters through the 2020 ballot initiative that established the California Privacy Rights Act.

International Association of Privacy Professionals

Industry Association

Primary tracker of global privacy law developments

The world's largest association of privacy professionals, providing research, certification, and legislative tracking for the data protection field.

Timeline

June 2018 January 2026

13 events Latest: January 1st, 2026 · 5 months ago Showing 8 of 13

Tap a bar to jump to that date

January 2026
Indiana, Kentucky, Rhode Island Privacy Laws Take Effect
Latest Enforcement

Three new state comprehensive privacy laws become operational, bringing total to twenty states. Rhode Island's notably low thresholds cover businesses processing data of just 35,000 consumers.
January 1st, 2026
California DROP Platform Launches
Enforcement

California's Delete Request and Opt-out Platform becomes available, allowing consumers to submit one-stop deletion requests to all registered data brokers.
January 1st, 2026
Universal Opt-Out Signals Required in 12 States
Enforcement

Connecticut and Oregon join California, Colorado, and eight other states in mandating recognition of Global Privacy Control and similar browser-based opt-out mechanisms.
January 1st, 2026
October 2025
Maryland Online Data Privacy Act Takes Effect
Enforcement

Maryland's law imposes the strictest data minimization requirements among state privacy laws, banning the sale of sensitive data entirely with no consent exception.
October 1st, 2025
July 2025
Minnesota Privacy Act Takes Effect
Enforcement

Minnesota law introduces unique requirement for businesses to identify a chief privacy officer and maintain formal data inventories.
July 31st, 2025
May 2025
Texas Secures $1.4 Billion Google Settlement
Enforcement

Texas Attorney General finalizes $1.375 billion settlement with Google over geolocation tracking, incognito mode, and biometric data violations.
May 9th, 2025
July 2024
Texas Secures $1.4 Billion Meta Settlement
Enforcement

Texas Attorney General announces $1.4 billion settlement with Meta for unauthorized capture of biometric data through Facebook's face recognition feature.
July 30th, 2024
January 2023
Virginia and California Privacy Laws Fully Operational
Enforcement

VCDPA takes effect and CPRA amendments to CCPA become operational, marking first multi-state privacy enforcement environment.
January 1st, 2023
July 2021
Colorado Becomes Third State
Legislation

Colorado Privacy Act signed into law, effective July 1, 2023.
July 7th, 2021
March 2021
Virginia Becomes Second State with Privacy Law
Legislation

Virginia Consumer Data Protection Act (VCDPA) signed into law, establishing a template that most subsequent state laws will follow.
March 2nd, 2021
November 2020
California Voters Approve CPRA
Legislation

Proposition 24 passes, creating the California Privacy Rights Act and establishing the California Privacy Protection Agency as the nation's first dedicated state privacy regulator.
November 3rd, 2020
January 2020
CCPA Takes Effect
Enforcement

California Consumer Privacy Act becomes enforceable, granting residents rights to access, delete, and opt out of the sale of their personal information.
January 1st, 2020
June 2018
California Passes First Comprehensive State Privacy Law
Legislation

Governor Jerry Brown signs the California Consumer Privacy Act (CCPA), making California the first state with comprehensive consumer data protection rules. The law takes effect January 1, 2020.
June 28th, 2018

#timeline [x-show="expanded"] { display: revert !important; opacity: 1 !important; } #timeline .timeline-toggle-btn { display: none; }

Historical Context

3 moments from history that rhyme with this story — and how they unfolded.

May 2018

European Union General Data Protection Regulation (2018)

The European Union's GDPR took effect on May 25, 2018, imposing strict opt-in consent requirements, data portability rights, and penalties up to 4% of global revenue on any company processing EU residents' data. U.S. technology companies faced immediate compliance obligations regardless of their physical location.

Then

Companies worldwide scrambled to update privacy notices, implement consent mechanisms, and appoint data protection officers. Cookie consent banners became ubiquitous. Some U.S. news sites blocked European visitors rather than comply.

Now

GDPR became the global baseline for privacy legislation. California's CCPA, passed months later, explicitly drew inspiration from GDPR concepts while choosing an opt-out rather than opt-in model. The regulation demonstrated that regional laws could effectively constrain global technology companies.

Why this matters now

GDPR proved that comprehensive privacy regulation was enforceable against major technology platforms. Its extraterritorial reach showed that state-level U.S. laws could similarly force national compliance. The opt-in versus opt-out distinction between GDPR and U.S. state laws remains the key architectural difference.

July 2002

Sarbanes-Oxley State-by-State Precedent (2002)

Following the Enron and WorldCom accounting scandals, Congress passed the Sarbanes-Oxley Act establishing federal corporate governance standards. Prior to SOX, corporate governance was regulated primarily through a patchwork of state laws, with Delaware's corporate-friendly statutes dominating. The federal law preempted certain state rules while preserving others.

Then

Public companies faced significant compliance costs implementing new internal controls, audit committee requirements, and executive certification rules. Smaller companies complained the burden was disproportionate.

Now

SOX established that federal intervention could rationalize state-by-state regulatory patchworks when national interests were sufficiently compelling. The law's framework of allowing some state variation while establishing federal floors became a template for subsequent regulatory debates.

Why this matters now

Privacy legislation faces a similar state-versus-federal tension. The SOX precedent shows how federal legislation can emerge from state-level experimentation while preserving some state enforcement authority. Industry groups cite SOX compliance costs when arguing against privacy patchwork.

June-October 2003

Do Not Call Registry Implementation (2003)

The Federal Trade Commission (FTC) launched the National Do Not Call Registry, allowing consumers to opt out of telemarketing calls. The registry built on state-level do-not-call laws that had emerged in the 1990s. Implementation required coordination between federal and state enforcement, with the FTC handling national rules while states retained authority for intrastate calls.

Then

50 million phone numbers registered in the first three months. The telemarketing industry challenged the registry in court but lost. Legitimate telemarketing adapted while robocall operations moved offshore or ignored the rules.

Now

The registry demonstrated consumer appetite for privacy controls and the viability of opt-out mechanisms at scale. However, enforcement limitations—particularly against offshore violators—showed the limits of consent-based privacy frameworks against bad actors.

Why this matters now

Universal opt-out signals (like Global Privacy Control) mirror the Do Not Call Registry concept: a single consumer action that propagates across multiple businesses. The registry's partial success and enforcement challenges offer lessons for digital privacy opt-out implementation.