For years, CCPA (the California Consumer Privacy Act) was the only meaningful US state privacy law that online businesses needed to track. That era is over. As of 2026, more than 20 states have enacted comprehensive consumer privacy legislation, and the majority of them are now in force. If you operate an online business that collects data from US consumers, you likely have obligations in multiple states simultaneously.
The major state laws in force
The following state privacy laws are the most significant for online businesses to understand:
- California CCPA/CPRA — the original and most comprehensive. Applies to for-profit businesses with annual revenue over $25M, or processing data from 100,000+ consumers, or deriving 50%+ revenue from data sales. Grants rights to know, delete, correct, opt out, and limit use of sensitive data.
- Virginia VCDPA (Virginia Consumer Data Protection Act) — applies to businesses processing data of 100,000+ Virginia consumers annually, or 25,000+ consumers while deriving 50%+ revenue from data sales. Similar rights to CCPA but with some differences in scope and enforcement.
- Colorado CPA (Colorado Privacy Act) — similar thresholds to Virginia. Notable for requiring opt-out rights for targeted advertising, which applies broadly to online businesses running interest-based advertising.
- Connecticut CTDPA — modelled on Virginia VCDPA. Applies to businesses processing data of 100,000+ Connecticut consumers.
- Texas TDPSA (Texas Data Privacy and Security Act) — broader applicability than most state laws: applies to any business that conducts business in Texas and processes personal data, subject to a small business exemption. Notably has no revenue threshold.
- Florida FDBR (Florida Digital Bill of Rights) — applies to controllers with annual revenue over $1B who operate a search engine, social media platform, or app store. Primarily targets large tech companies.
- Oregon OCPA, Montana MCDPA, Delaware DPDPA, and several others — each with their own thresholds and effective dates.
What the laws have in common
Despite their differences, the major state privacy laws share a core set of consumer rights and business obligations:
- Right to access personal data the business holds
- Right to correct inaccurate data
- Right to delete personal data
- Right to opt out of the sale of personal data
- Right to opt out of targeted advertising
- Right to opt out of profiling for decisions with legal or significant effects
- Data minimisation — only collect what is necessary for disclosed purposes
- Purpose limitation — do not use data for undisclosed purposes
Most state laws do not require opt-in consent for general data processing (unlike GDPR). However, sensitive data categories — health, race, religion, sexual orientation, precise geolocation, financial data, immigration status — typically require opt-in consent under most state frameworks.
The practical approach for multi-state compliance
Managing compliance across 20+ state laws individually is not realistic for small businesses. The practical approach is to build to the highest common standard — CCPA/CPRA — and extend it to cover the additional requirements of other state laws. A CCPA-compliant privacy policy that also includes universal opt-out mechanisms for targeted advertising, rights for all US consumers regardless of state, and a dedicated opt-in mechanism for sensitive data will satisfy the core requirements of virtually every current state law.
The Global Privacy Control (GPC) browser signal is increasingly important: several state laws require that you honour it as a valid opt-out signal for selling and sharing personal data. If you use a Consent Management Platform, confirm that it is configured to respect the GPC header.