What 20 Active State Laws Actually Means
The US state privacy law landscape has moved faster than most compliance teams anticipated when California’s CCPA took effect in January 2020. In six years, the US went from one comprehensive state privacy law to twenty — covering an aggregate consumer population that represents the vast majority of economically active US residents.
Three states crossed the finish line on January 1, 2026: Indiana, Kentucky, and Rhode Island. Indiana’s SB 5 and Kentucky’s HB 15 largely follow the Virginia Consumer Data Protection Act template that has become the baseline for most state comprehensive privacy laws: thresholds of 100,000 consumers or deriving 50% of revenue from selling the data of 25,000 consumers, opt-out rights for targeted advertising and data sales, data protection assessments for high-risk processing, and a 30-day cure period for violations before enforcement. Rhode Island’s HB 7787 sets a lower threshold — 35,000 consumers or 10,000 consumers while deriving more than 20% of revenue from data sales — and notably omits universal opt-out recognition and cure periods, making it the strictest of the three new January 2026 laws in practice.
The five states that amended existing privacy laws in 2025-2026 are equally important for compliance planners. Connecticut lowered its applicability threshold from 100,000 to 35,000 customers and banned the sale of minors’ data. Colorado eliminated its 60-day cure period effective December 31, 2025 — removing the safe-harbor buffer that compliance teams relied on for error correction. Oregon now prohibits the sale of geolocation data and personal data of any person under 16. California mandates data brokers to process deletion requests within 45 days and has implemented new automated decision-making technology regulations.
The pattern is clear: thresholds are falling, cure periods are disappearing, and new data categories (geolocation, minors’ data, health data) are receiving enhanced protection across multiple states simultaneously.
The Enforcement Reality: $1.55 Million, $85,000, and $1 Billion
The shift from voluntary compliance to active enforcement is no longer theoretical. Three enforcement actions from 2025 define the new landscape:
California — $1.55 million (July 2025): The California Attorney General settled with an online health information publisher for the largest CCPA settlement to date. The violations: failing to honor consumer opt-out requests, improperly sharing personal data with third parties, and — notably — maintaining an “ineffective cookie banner” that was technically present but non-functional. The enforcement action established that cosmetic compliance (having a banner, having a privacy policy) is not the same as operational compliance (the systems behind the banner actually working).
Connecticut — $85,000 (2025): The Connecticut AG settled with an online ticket provider whose privacy notice was described as “largely unreadable” and whose opt-out mechanism was “misconfigured or inoperable.” The AG had sent a prior deficiency notice that the company failed to adequately address. The settlement amount was modest, but the enforcement sequence — deficiency notice, failure to cure, formal action — established the playbook Connecticut will apply going forward.
Texas — over $1 billion (2025): Texas signaled the most aggressive enforcement posture of any state AG, settling with a major technology company for more than $1 billion under the Texas Data Privacy and Security Act. Texas has explicitly described its enforcement landscape as “strong and active” — the $1 billion settlement is both a deterrent and a revenue signal to other state AGs watching the model.
These three cases together define the operational failure pattern that attracts enforcement: broken opt-out mechanisms, unreadable privacy notices, and ignored cure notices. None of the three required sophisticated detection — all were basic operational failures visible to a moderately technical AG investigator.
Advertisement
What Global Companies Must Do in 2026
1. Map Your US Consumer Population Against Every Applicable State Threshold
The threshold analysis is more complex than “do we have US customers?” Most state laws apply based on the number of consumers whose data is processed — not necessarily the number of paying customers. A company that operates a free tool or collects data from a website analytics integration may be processing data of far more US consumers than its customer count suggests. The threshold mapping must cover: how many consumers per state have data actively processed, how much revenue (if any) comes from the sale or sharing of their data, and whether any data categories (health, geolocation, minors’ data) attract enhanced obligations below standard thresholds. Rhode Island’s 35,000-consumer threshold means smaller companies are now in scope than the 100,000-consumer threshold of Virginia-template states.
2. Audit Opt-Out Mechanisms for Operational Functionality, Not Just Legal Presence
The California and Connecticut enforcement actions both targeted non-functional opt-out mechanisms — systems that appeared compliant but did not actually process consumer requests correctly. This is now the primary operational compliance risk across all 20 state frameworks. Compliance teams should conduct quarterly functional tests of every consumer-facing mechanism: cookie consent tools, opt-out of sale/sharing links, data deletion request forms, and email unsubscribe flows. The test standard is whether a consumer request submitted through each mechanism is actually received, processed, and fulfilled within the statutory deadline — 45 days under California’s data broker rules, 30-45 days under most state comprehensive laws. Document the test results; an enforcement investigator will ask for them.
3. Publish Privacy Notices That a Non-Lawyer Can Read in Under Two Minutes
Connecticut’s $85,000 settlement turned on a privacy notice described as “largely unreadable.” The readability standard is not a style suggestion — it is an enforcement criterion that multiple AGs are now applying. Privacy notices must describe, in plain language: what personal data is collected, for what purposes, with whom it is shared, how consumers can exercise their rights, and how long data is retained. Legal teams that write privacy notices for attorneys who will assess them in litigation should instead commission a user test: can a typical consumer read and understand the material information in two minutes? If not, it will not survive an AG’s “readability” assessment. A tiered privacy notice format — short summary at the top, detailed disclosure below — is now the de facto standard for readability compliance.
4. Eliminate Cure Period Reliance as a Compliance Strategy
Colorado’s elimination of its 60-day cure period effective December 31, 2025, and Connecticut’s enforcement of deficiency notices that went unaddressed, establish that the cure period is a depleting resource across the US state landscape. Several states that currently maintain cure periods are reviewing them under 2026 legislative sessions — Indiana’s 30-day cure period, for example, is likely to come under legislative scrutiny. Companies that have treated cure periods as a safety net — relying on the ability to fix violations after an AG notice rather than building proactive compliance — are structurally exposed as cure periods disappear. The compliance posture must shift to pre-enforcement readiness: systems that work before an investigator arrives, not systems that can be fixed after a deficiency notice.
The Structural Lesson: Concurrent Multi-State Enforcement Is the New Normal
The US state privacy landscape has reached a threshold that makes piecemeal state-by-state compliance unworkable for any organization processing data at scale. Twenty laws, with overlapping but non-identical requirements, create a compliance matrix that can only be managed through a common baseline approach.
The baseline that satisfies the most stringent combination of current state requirements — California, Connecticut, Colorado, and Rhode Island — functions as a national de facto standard. An organization that builds its privacy program to satisfy these four states’ requirements will be in compliance with the Virginia-template states (Indiana, Kentucky, and most others) by default, since the Virginia template is less demanding on thresholds, cure periods, and enhanced data category protections.
The strategic investment is not in tracking every state law — that is a legal function — but in building the operational infrastructure that makes compliance automatic: functional opt-out mechanisms, plain-language notices, documented data flows, and a request-processing workflow that meets 30-45 day statutory response windows. Organizations that built this infrastructure for GDPR compliance in 2018 have a structural advantage — the operational patterns are largely the same, applied to a US consumer population rather than a European one. Organizations that managed CCPA as a California-specific exercise now face the cost of building national infrastructure under enforcement pressure rather than ahead of it.
The 2026 enforcement surge, driven by state AGs who have now established enforcement track records and have clear precedent in the California, Connecticut, and Texas actions, will accelerate. The margin for non-compliance that existed during the voluntary-compliance phase of US state privacy law is gone.
Frequently Asked Questions
Q: Do the 20 state laws apply to companies headquartered outside the US?
Yes. Most US state comprehensive privacy laws apply based on where consumers reside, not where the company is headquartered. A European or Algerian company that processes data of Indiana, Kentucky, or Rhode Island residents above the applicable thresholds is subject to those states’ laws. The practical enforcement mechanism is AG investigative action — which typically targets companies with US market presence or US-accessible products, regardless of global HQ location.
Q: Are there exemptions for small businesses?
Yes, generally. Most state privacy laws include revenue or processing volume thresholds designed to exempt small businesses. Indiana and Kentucky require 100,000 consumers or data sale revenue from 25,000 consumers. Rhode Island’s lower 35,000-consumer threshold means more smaller companies are in scope. Businesses below all applicable thresholds are exempt from most state framework requirements, though sector-specific rules (HIPAA for health data, COPPA for children’s data) apply regardless of size.
Q: What is the risk for a company that receives an AG deficiency notice and does not respond adequately?
The Connecticut case provides the answer: the AG escalated from deficiency notice to formal enforcement action, settling for $85,000 but establishing a public enforcement record. Beyond the settlement amount, the public nature of the action creates reputational exposure and, in jurisdictions where enforcement orders are public, a permanent record of non-compliance. Companies operating under ongoing AG attention also face heightened regulatory scrutiny in future years — enforcement offices track companies with prior deficiency notice histories.
Sources & Further Reading
- All Comprehensive Privacy Laws Taking Effect in 2026 — Multistate
- Data Privacy in 2026: State Enforcement Takes Center Stage — Smith Law
- New Year, New Rules: US State Privacy Requirements — IAPP
- Privacy Laws Ring in the New Year: State Requirements Expand — Baker Donelson
- Data Privacy Laws 2026 — Smarsh
