← All guides
Privacy14 min read19 July 2026

US State Privacy Laws 2026: CCPA, VCDPA, CPA, CTDPA, TDPSA — Complete Multi-State Compliance Guide

How to comply with 20+ US state privacy laws — CCPA/CPRA, Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Texas TDPSA, Montana MCDPA, Oregon OCPA, and more. Consumer rights, opt-out, GPC, sensitive data, enforcement by state.

The US state privacy law landscape in 2026

The United States does not have a comprehensive federal privacy law — the American Privacy Rights Act (APRA) has stalled in Congress. In its absence, individual states have enacted their own comprehensive consumer privacy legislation. By mid-2026, more than 20 states have passed comprehensive privacy laws, and the pace of legislation is accelerating. If you operate a business that processes personal data of US consumers, you almost certainly face obligations under multiple state laws.

The good news: most state laws share a common architecture, borrowed heavily from GDPR and California's CCPA. Consumer rights, notice obligations, opt-out mechanisms, and governance requirements are largely consistent across states, with important variations. A well-designed compliance programme can cover most states efficiently.

Key state laws and their effective dates

California CCPA/CPRA — The gold standard

The California Consumer Privacy Act (CCPA) became effective January 2020 and was significantly amended by the California Privacy Rights Act (Prop 24, CPRA) effective January 2023. The California Privacy Protection Agency (CPPA) began active enforcement in July 2023. California's law is the most comprehensive and carries the highest enforcement risk:

  • Applicability thresholds: Businesses that (1) have gross annual revenues over $25 million, (2) buy/sell/share personal data of 100,000+ consumers annually, or (3) derive 50%+ of revenue from selling personal data
  • Unique features: Private right of action for security breaches (statutory damages $100-$750 per consumer per incident); CPPA has independent rulemaking authority; ongoing rulemaking on automated decision-making, cybersecurity audits, and privacy risk assessments
  • CPRA additions: Right to correct inaccurate data; right to limit use of sensitive personal data; opt-out of automated decision-making with significant effects; stricter rules on sensitive data; contractor/service provider obligations strengthened

Virginia VCDPA — Simple, business-friendly

Virginia's Consumer Data Protection Act (VCDPA) became effective January 2023. It applies to businesses that control/process personal data of 100,000+ Virginians annually or 25,000+ Virginians and derive 50%+ of revenue from selling data. No private right of action — AG enforcement only. 30-day cure period. Notable for requiring Data Protection Assessments (DPAs) for high-risk processing activities including targeted advertising, profiling, and sensitive data.

Colorado CPA — GPC mandatory

Colorado's Privacy Act (CPA) became effective July 2023. Same applicability thresholds as Virginia (100,000 consumers or 25,000 + 50% revenue from data). Colorado uniquely mandates technical acceptance of the Global Privacy Control (GPC) signal — if a consumer's browser sends a GPC opt-out signal, businesses must treat it as an opt-out of sale and targeted advertising. AG enforcement; 60-day cure period through January 2025, no automatic cure after that.

Connecticut CTDPA — GPC also mandatory

Connecticut's Data Privacy Act (CTDPA) became effective July 2023. Same thresholds. Also mandates GPC signal compliance. AG enforcement; 60-day cure period.

Texas TDPSA — Broad reach

Texas's Data Privacy and Security Act (TDPSA) became effective July 2024. Notable for its broad applicability: applies to any business that (1) processes personal data of Texas residents and (2) either has 100,000+ consumer records OR derives 25%+ of revenue from selling personal data — with no revenue floor. Data broker registration required for data sellers. AG enforcement; 30-day cure period. Penalties up to $7,500 per violation.

Montana MCDPA, Oregon OCPA, and the 2024-2025 wave

Montana (MCDPA, October 2024), Oregon (OCPA, July 2024), Florida (FDBR, July 2024 — limited to businesses with $1B+ global revenue), Delaware (DPDPA), Iowa (ICDPA), Indiana (INCDPA), Tennessee (TIPA), Nebraska (NDPA), and others came into effect through 2024-2025. All share the same GDPR-inspired architecture with state-specific variations on thresholds, cure periods, and sensitive data definitions.

Consumer rights — what you must implement

All comprehensive state privacy laws require you to respond to consumer requests exercising the following rights:

Right of access

Consumers can request confirmation of whether you process their personal data, and receive a copy of the data you hold about them. Response deadline: 45 days, extendable by another 45 days with notice. You must authenticate the request without collecting more personal data than necessary — this is a specific CPPA enforcement focus area.

Right to deletion

Consumers can request deletion of their personal data. Exceptions exist for: completing transactions, security and fraud prevention, legal obligations, legitimate business purposes like auditing, and certain research/public interest uses. You must instruct your service providers/processors to delete as well.

Right to correction (not CCPA)

VCDPA, CPA, CTDPA, TDPSA, MCDPA, OCPA, and most newer state laws require you to correct inaccurate personal data upon request. CPRA adds this to California. Timeline: 45 days. You don't have to correct data where corrections would require you to provide false information, but you must explain why you declined.

Right to portability

Consumers can request their personal data in a portable, machine-readable format (CSV, JSON). Required by CCPA, VCDPA, CPA, CTDPA, TDPSA. Not all states specify the exact format — aim for common interchange formats.

Appeals process

All states except California require you to have an internal appeals process for denied rights requests. Consumers have 60 days to appeal a denial. You have 60 days to respond. You must provide a way to lodge complaints with the AG if the appeal is denied.

Opt-out obligations — sale, sharing, targeted advertising

Every state law requires offering consumers the right to opt out of the sale or sharing of their personal data for targeted advertising. This typically means:

  • "Do Not Sell or Share My Personal Information" link — prominently placed in your website footer, homepage, and privacy policy
  • Global Privacy Control (GPC) signal — mandatory in California, Colorado, Connecticut, Texas, Oregon; strongly expected elsewhere. Technical implementation: detect the GPC header or JS API, treat as opt-out, propagate to all applicable downstream systems
  • Opt-out of targeted advertising / profiling — even if you don't "sell" data, if you share it for cross-context behavioural advertising, opt-out is required
  • No discrimination — consumers who opt out must receive equal service and price (with limited exceptions for loyalty programmes with material value disclosure)

Sensitive personal data — opt-in required

Most state laws (VCDPA, CPA, CTDPA, TDPSA, MCDPA, OCPA, and CPRA for "limit use") require opt-in consent for processing sensitive personal data, defined as: racial or ethnic origin, religious beliefs, mental/physical health condition or diagnosis, sexual orientation, immigration or citizenship status, financial account data combined with credentials, precise geolocation, biometric data for unique identification, and children's data.

CCPA/CPRA is slightly different: it gives consumers the right to limit use of sensitive personal data (opt-out model) rather than requiring opt-in consent upfront. In practice, most multi-state businesses implement opt-in for sensitive data to satisfy the majority of state requirements.

Children's privacy — COPPA + state age minimums

COPPA (federal) requires verifiable parental consent for processing data of children under 13. CCPA adds an opt-in requirement for 13-15 year olds for sale/sharing. MCDPA, Connecticut, and other states extend protections to 16. The Age-Appropriate Design Code concept (from the UK) is influencing US state developments — expect design requirements for child-directed services to increase.

Data Protection Assessments (DPAs)

VCDPA, CPA, CTDPA, TDPSA, MCDPA, OCPA, and others require conducting Data Protection Assessments for high-risk processing activities. Required for: processing sensitive personal data; targeted advertising; profiling with significant effects; selling personal data; and processing activities with foreseeable risk of substantial injury to consumers. DPAs must weigh the benefits of processing against risks to consumer rights. They must be available to AGs upon request.

Enforcement and penalties

California CPPA has the most active enforcement programme. CCPA penalties: $2,500 per unintentional violation, $7,500 per intentional violation, with no cap per enforcement action. CCPA also carries a private right of action for security breaches — statutory damages of $100-$750 per consumer per incident, meaning a 50,000-consumer breach can result in $5-37.5 million in statutory damages. Most other states: AG enforcement only, penalties of $7,500-$10,000 per violation, cure periods of 30-60 days for first violations.

Assess your multi-state privacy compliance

The US State Privacy Laws Compliance Checker covers 42 obligations across six domains: notice and transparency, consumer rights implementation, opt-out and consent mechanisms, sensitive data and children's privacy, data minimization and security, and governance and assessments. Select which states you operate in, assess each obligation, and generate a detailed multi-state compliance report with a prioritised remediation roadmap and state-by-state applicability analysis.

Related tools

See also: GDPR Compliance Audit, CCPA/CPRA Compliance Checklist, Privacy Policy Generator, GDPR Records of Processing Activities (RoPA), Data Processing Agreement Generator.