Twenty states now enforce comprehensive privacy laws

Overview

California passed the first comprehensive state privacy law in 2018. Eight years later, twenty states have followed, creating a regulatory patchwork that now covers roughly half the American population. Indiana, Kentucky, and Rhode Island's laws took effect January 1, 2026, joining a wave of amendments and enforcement actions that force every consumer-facing app to reckon with data collection practices.

The practical effect: companies can no longer treat privacy as a California-only compliance exercise. Universal opt-out signals are mandatory in twelve states. Data brokers face registration requirements, deletion mechanisms, and a California 'strike force' hunting non-compliance. Texas extracted $2.8 billion from Meta and Google in 2025 alone. The absence of federal legislation has created, paradoxically, a de facto national standard—most new state laws simply copy Virginia's template—while leaving companies to navigate jurisdiction-by-jurisdiction variations in sensitive data definitions, cure periods, and enforcement appetite.

12 Sources:

Key Indicators

States with Comprehensive Privacy Laws

Up from one state (California) in 2020, with more laws taking effect through 2026

States Requiring Universal Opt-Out Signals

Businesses must honor browser-based privacy signals like Global Privacy Control

$2.8B

Texas Privacy Settlements in 2025

$1.4 billion each from Meta and Google for biometric and location data violations

$7,500-$10,000

Per-Violation Penalty Range

State enforcement penalties vary; California fines now adjust automatically with inflation

Interactive

Exploring all sides of a story is often best achieved with Play.

Ever wondered what historical figures would say about today's headlines?

Debate Arena

Two rounds, two personas, one winner. You set the crossfire.

People Involved

Ken Paxton

Texas Attorney General (Leading aggressive state-level privacy enforcement)

Rob Bonta

California Attorney General (Overseeing California's expanding privacy enforcement apparatus)

Organizations Involved

California Privacy Protection Agency

State Regulatory Agency

Status: Primary enforcer of California privacy law alongside state Attorney General

The first dedicated state privacy enforcement agency in the United States, created by California voters through the 2020 ballot initiative that established the California Privacy Rights Act.

International Association of Privacy Professionals

Industry Association

Status: Primary tracker of global privacy law developments

The world's largest association of privacy professionals, providing research, certification, and legislative tracking for the data protection field.

Timeline

Indiana, Kentucky, Rhode Island Privacy Laws Take Effect
Enforcement

Three new state comprehensive privacy laws become operational, bringing total to twenty states. Rhode Island's notably low thresholds cover businesses processing data of just 35,000 consumers.
January 1st, 2026
California DROP Platform Launches
Enforcement

California's Delete Request and Opt-out Platform becomes available, allowing consumers to submit one-stop deletion requests to all registered data brokers.
January 1st, 2026
Universal Opt-Out Signals Required in 12 States
Enforcement

Connecticut and Oregon join California, Colorado, and eight other states in mandating recognition of Global Privacy Control and similar browser-based opt-out mechanisms.
January 1st, 2026
Maryland Online Data Privacy Act Takes Effect
Enforcement

Maryland's law imposes the strictest data minimization requirements among state privacy laws, banning the sale of sensitive data entirely with no consent exception.
October 1st, 2025
Minnesota Privacy Act Takes Effect
Enforcement

Minnesota law introduces unique requirement for businesses to identify a chief privacy officer and maintain formal data inventories.
July 31st, 2025
Texas Secures $1.4 Billion Google Settlement
Enforcement

Texas Attorney General finalizes $1.375 billion settlement with Google over geolocation tracking, incognito mode, and biometric data violations.
May 9th, 2025
Texas Secures $1.4 Billion Meta Settlement
Enforcement

Texas Attorney General announces $1.4 billion settlement with Meta for unauthorized capture of biometric data through Facebook's face recognition feature.
July 30th, 2024
Virginia and California Privacy Laws Fully Operational
Enforcement

VCDPA takes effect and CPRA amendments to CCPA become operational, marking first multi-state privacy enforcement environment.
January 1st, 2023
Colorado Becomes Third State
Legislation

Colorado Privacy Act signed into law, effective July 1, 2023.
July 7th, 2021
Virginia Becomes Second State with Privacy Law
Legislation

Virginia Consumer Data Protection Act (VCDPA) signed into law, establishing a template that most subsequent state laws will follow.
March 2nd, 2021
California Voters Approve CPRA
Legislation

Proposition 24 passes, creating the California Privacy Rights Act and establishing the California Privacy Protection Agency as the nation's first dedicated state privacy regulator.
November 3rd, 2020
CCPA Takes Effect
Enforcement

California Consumer Privacy Act becomes enforceable, granting residents rights to access, delete, and opt out of the sale of their personal information.
January 1st, 2020
California Passes First Comprehensive State Privacy Law
Legislation

Governor Jerry Brown signs the California Consumer Privacy Act (CCPA), making California the first state with comprehensive consumer data protection rules. The law takes effect January 1, 2020.
June 28th, 2018

Scenarios

Patchwork Persists, Compliance Costs Rise

Discussed by: International Association of Privacy Professionals (IAPP), National Law Review, Bloomberg Law privacy analysts

Without federal preemption, more states enact privacy laws with jurisdiction-specific requirements—Maryland's data minimization rules, Minnesota's chief privacy officer mandates, New Jersey's expanded dark pattern prohibitions. Companies face mounting compliance costs as they must track and implement different rules across twenty-plus states. Large platforms standardize on the strictest requirements (effectively creating a California/Maryland-driven de facto standard), while smaller companies struggle with the complexity. Enforcement actions increase as attorneys general gain experience and precedent.

Federal Privacy Law Finally Passes, Preempts State Patchwork

Discussed by: American Bar Association, Congressional Research Service, industry trade groups including Chamber of Commerce

Congress enacts comprehensive federal privacy legislation that preempts most state laws, creating uniform national standards. California and industry groups reach compromise on preemption scope, preserving some state enforcement authority while eliminating the patchwork. The legislation likely follows the opt-out (rather than GDPR-style opt-in) model that dominates existing state laws. This would simplify compliance but potentially weaken protections in stricter states like Maryland.

Major Enforcement Action Bankrupts Mid-Size Data Broker

Discussed by: California Privacy Protection Agency statements, Consumer Reports advocacy reports, privacy law commentators

California's data broker strike force or Texas-style enforcement action targets a mid-size data broker with accumulated violations across multiple states. The combination of per-violation penalties, deletion costs, and registration requirements proves fatal. The bankruptcy creates a chilling effect across the data broker industry, accelerating consolidation and forcing remaining players to fundamentally restructure their data collection practices. First Amendment challenges to data broker regulations reach federal courts.

Adtech Industry Consolidates Around Privacy-First Architecture

Discussed by: AdExchanger, Advertising trade publications, privacy-focused technology companies

The combination of state privacy laws, enforcement precedents, and platform changes (cookie deprecation, App Tracking Transparency) forces the advertising technology industry to abandon third-party data models. First-party data, contextual advertising, and privacy-preserving measurement become industry standards. Major platforms that already control first-party relationships (Google, Meta, Amazon) strengthen their positions, while independent adtech companies either pivot or exit. Consumer data brokers largely disappear from the ecosystem.

Historical Context

European Union General Data Protection Regulation (2018)

May 2018

What Happened

The European Union's GDPR took effect on May 25, 2018, imposing strict opt-in consent requirements, data portability rights, and penalties up to 4% of global revenue on any company processing EU residents' data. U.S. technology companies faced immediate compliance obligations regardless of their physical location.

Outcome

Short Term

Companies worldwide scrambled to update privacy notices, implement consent mechanisms, and appoint data protection officers. Cookie consent banners became ubiquitous. Some U.S. news sites blocked European visitors rather than comply.

Long Term

GDPR became the global baseline for privacy legislation. California's CCPA, passed months later, explicitly drew inspiration from GDPR concepts while choosing an opt-out rather than opt-in model. The regulation demonstrated that regional laws could effectively constrain global technology companies.

Why It's Relevant Today

GDPR proved that comprehensive privacy regulation was enforceable against major technology platforms. Its extraterritorial reach showed that state-level U.S. laws could similarly force national compliance. The opt-in versus opt-out distinction between GDPR and U.S. state laws remains the key architectural difference.

Sarbanes-Oxley State-by-State Precedent (2002)

July 2002

What Happened

Following the Enron and WorldCom accounting scandals, Congress passed the Sarbanes-Oxley Act establishing federal corporate governance standards. Prior to SOX, corporate governance was regulated primarily through a patchwork of state laws, with Delaware's corporate-friendly statutes dominating. The federal law preempted certain state rules while preserving others.

Outcome

Short Term

Public companies faced significant compliance costs implementing new internal controls, audit committee requirements, and executive certification rules. Smaller companies complained the burden was disproportionate.

Long Term

SOX established that federal intervention could rationalize state-by-state regulatory patchworks when national interests were sufficiently compelling. The law's framework of allowing some state variation while establishing federal floors became a template for subsequent regulatory debates.

Why It's Relevant Today

Privacy legislation faces a similar state-versus-federal tension. The SOX precedent shows how federal legislation can emerge from state-level experimentation while preserving some state enforcement authority. Industry groups cite SOX compliance costs when arguing against privacy patchwork.

Do Not Call Registry Implementation (2003)

June-October 2003

What Happened

The Federal Trade Commission (FTC) launched the National Do Not Call Registry, allowing consumers to opt out of telemarketing calls. The registry built on state-level do-not-call laws that had emerged in the 1990s. Implementation required coordination between federal and state enforcement, with the FTC handling national rules while states retained authority for intrastate calls.

Outcome

Short Term

50 million phone numbers registered in the first three months. The telemarketing industry challenged the registry in court but lost. Legitimate telemarketing adapted while robocall operations moved offshore or ignored the rules.

Long Term

The registry demonstrated consumer appetite for privacy controls and the viability of opt-out mechanisms at scale. However, enforcement limitations—particularly against offshore violators—showed the limits of consent-based privacy frameworks against bad actors.

Why It's Relevant Today

Universal opt-out signals (like Global Privacy Control) mirror the Do Not Call Registry concept: a single consumer action that propagates across multiple businesses. The registry's partial success and enforcement challenges offer lessons for digital privacy opt-out implementation.

Twenty states now enforce comprehensive privacy laws

Overview

Key Indicators

Related Media

Interactive

Ever wondered what historical figures would say about today's headlines?

Preview Voice

Generating Voice

Choose a Historical Figure

Albert Einstein

Ambrose Bierce

Andrew Carnegie

Andrew Mellon

Ayn Rand

Benjamin Franklin

Cecil Rhodes

Charles Darwin

Cornelius Vanderbilt

Dorothy Parker

Eleanor Roosevelt

Frederick Douglass

G. K. Chesterton

George Orwell

H. L. Mencken

Hannah Arendt

J. P. Morgan

James Baldwin

Jamsetji Tata

Jane Addams

John Locke

Jonathan Swift

Madam C. J. Walker

Mark Twain

Mary Wollstonecraft

Niccolo Machiavelli

Oscar Wilde

Rachel Carson

Samuel Johnson

Simone Weil

Sojourner Truth

Thomas Hobbes

Thomas Jefferson

Thomas Paine

Voltaire

Winston Churchill

Debate Arena

People Involved

Organizations Involved

Timeline

Indiana, Kentucky, Rhode Island Privacy Laws Take Effect

California DROP Platform Launches

Universal Opt-Out Signals Required in 12 States

Maryland Online Data Privacy Act Takes Effect

Minnesota Privacy Act Takes Effect

Texas Secures $1.4 Billion Google Settlement

Texas Secures $1.4 Billion Meta Settlement

Virginia and California Privacy Laws Fully Operational

Colorado Becomes Third State

Virginia Becomes Second State with Privacy Law

California Voters Approve CPRA

CCPA Takes Effect

California Passes First Comprehensive State Privacy Law

Scenarios

Patchwork Persists, Compliance Costs Rise

Federal Privacy Law Finally Passes, Preempts State Patchwork

Major Enforcement Action Bankrupts Mid-Size Data Broker

Adtech Industry Consolidates Around Privacy-First Architecture

Historical Context

European Union General Data Protection Regulation (2018)

What Happened

Outcome

Why It's Relevant Today

Sarbanes-Oxley State-by-State Precedent (2002)

What Happened

Outcome

Why It's Relevant Today

Do Not Call Registry Implementation (2003)

What Happened

Outcome

Why It's Relevant Today