The State Privacy Law Patchwork in 2026: Which Laws Apply to Your App and What They Require
Twenty states now have active privacy laws. This guide maps which ones apply to your app based on your user base, explains the California/Texas/other enforcement tiers, and covers the five elements every privacy notice must include.
The Privacy Regulation Explosion — Why This Got Hard Fast
Before 2020, U.S. consumer privacy law was essentially a single-state problem. California's CCPA took effect on January 1, 2020, and for a brief window it stood alone as the only comprehensive state consumer privacy regime in the country. That window has since closed. As of January 2026, nineteen states have enacted comprehensive consumer privacy laws that are actively in effect — covering more than half the American population. Indiana, Kentucky, and Rhode Island joined the map on January 1, 2026 alone.
The growth was fast and uneven. Each state legislature drafted its own law, borrowed selectively from California and Virginia, and arrived at different applicability thresholds, enforcement mechanisms, and penalty structures. A consumer app with users in ten states may technically be subject to eight or nine different legal frameworks — each with its own notice requirements, consumer rights timelines, and sensitive data rules.
Here is the shift that matters for 2026 specifically: for the first time in five years, 2025 produced no new comprehensive state privacy legislation. The drafting sprint is over. States that passed laws between 2021 and 2024 are now enforcing them with increasing sophistication. The California Privacy Protection Agency reached a $2.75 million settlement in February 2026 over opt-out failures. Texas secured a $1.375 billion settlement against Google. The compliance question has moved from what laws are coming to what do the laws already on the books actually require from your app.
The 2026 State-by-State Map
Twenty states have comprehensive consumer privacy laws in active effect as of mid-2026. The table below lists all twenty, with each law's effective date, the agency responsible for enforcement, and the applicability threshold — the minimum user count or revenue level that determines whether your app is covered at all.
| State | Law | Effective Date | Enforcement | Key Threshold |
|---|---|---|---|---|
| California | CCPA / CPRA | Jan 1, 2020 / Jan 1, 2023 | AG + CPPA | 100K consumers OR 50% revenue from data sales; $25M revenue |
| Colorado | CPA | Jul 1, 2023 | AG + District Attorneys | 100K consumers/year OR 25K+ consumers and 25% revenue from data sales |
| Connecticut | CTDPA | Jul 1, 2023 | AG | 100K consumers OR 25K consumers and 25% revenue from data sales |
| Virginia | VCDPA | Jan 1, 2023 | AG | 100K consumers OR 25K consumers and 50% revenue from data sales |
| Texas | TDPSA | Jul 1, 2024 | AG | No threshold (applies to all for-profit businesses) |
| Utah | UCPA | Dec 31, 2023 | AG | 100K consumers OR 25K consumers and 50% revenue from data sales; $25M revenue |
| Montana | MCDPA | Oct 1, 2024 | AG | 50K consumers (lower than most) |
| Oregon | OCPA | Jul 1, 2024 | AG | 100K consumers OR 25K consumers and 25% revenue from data sales |
| Delaware | DPDPA | Jan 1, 2025 | AG | 35K consumers OR 10K consumers and 20% revenue from data sales |
| Iowa | ICDPA | Jan 1, 2025 | AG | 100K consumers OR 25K consumers and 50% revenue from data sales |
| Maryland | MODPA | Oct 1, 2025 | DCP | 35K consumers OR 10K consumers and 20% revenue from data sales |
| Minnesota | MHMDPA | Jul 31, 2025 | AG | 100K consumers OR 25K consumers and 25% revenue from data sales |
| Nebraska | NDPA | Jan 1, 2025 | AG | No threshold |
| New Hampshire | NHPA | Jan 1, 2025 | AG | 35K consumers OR 10K consumers and 25% revenue from data sales |
| New Jersey | NJDPA | Jan 15, 2025 | DCA | 100K consumers OR 25K consumers and 25% revenue from data sales |
| Tennessee | TIPA | Jul 1, 2025 | AG | 100K consumers OR 25K consumers and 50% revenue from data sales; $25M revenue |
| Florida | FDBR | Jul 1, 2024 | Dept. of Legal Affairs | $1 billion revenue (highest of any state) |
| Indiana | INCDPA (SB 5) | Jan 1, 2026 | AG | 100K consumers OR 25K consumers and 50% revenue from data sales |
| Kentucky | KCDPA (HB 15) | Jan 1, 2026 | AG | 100K consumers OR 25K consumers and 50% revenue from data sales |
| Rhode Island | RICDPA (HB 7787) | Jan 1, 2026 | AG | 35K consumers OR 10K consumers and 20% revenue from data sales |
Two threshold facts stand out. First, Texas's TDPSA and Nebraska's NDPA apply without any revenue or consumer volume threshold — unlike every other state on this list. If your app processes personal data of Texas or Nebraska residents, you are covered, regardless of how large or small your company is. Second, Florida's $1 billion revenue threshold is the highest of any state and effectively limits that law to major platforms. For most startups, Florida drops off the compliance checklist immediately.
The enforcement column is worth studying too. Most states use the state attorney general as the sole enforcement authority. California is the only state with both an AG and a dedicated enforcement agency — the California Privacy Protection Agency — operating simultaneously. For founders building toward a multi-state privacy compliance program, California's dual-agency structure and active enforcement record make it the natural anchor for the whole framework.
The Three-Tier Framework: California, Texas, and the Virginia Cluster
Twenty states, three enforcement profiles. Once you understand which tier a state falls into, the compliance logic for that state becomes predictable. The tiers do not map perfectly to legal requirements — they map to enforcement intensity, and that is what determines your actual exposure.
Tier 1 — California is the only state operating two simultaneous enforcement vectors: the California Privacy Protection Agency (CPPA) and the Attorney General on one side, private plaintiffs on the other. That private right of action is limited to data breach claims, not general CCPA violations, but it removes any buffer between a security failure and litigation. California also eliminated its cure period entirely, meaning a CPPA investigation can proceed directly to penalty. On consent, California is the one outlier among all 20 states — it uses an opt-out model for sensitive data rather than requiring affirmative opt-in consent, and it mandates that covered businesses honor the Global Privacy Control (GPC) browser signal as a valid opt-out request.
Tier 2 — Texas operates under the Texas Data Privacy and Security Act (TDPSA), which the Texas AG began enforcing in earnest in January 2025 with a lawsuit against Allstate's Arity subsidiary for secretly harvesting precise geolocation data from 45 million Americans through SDK integrations in mobile apps — all without notice or consent. Enforcement is AG-only with no private right of action, and a 30-day cure period remains in place with no statutory sunset. Penalties run up to $7,500 per violation. What distinguishes Texas from the Tier 3 cluster is not its remedy structure but its reach: the TDPSA has no revenue or consumer volume threshold, so a two-person startup serving Texas consumers is subject to the same opt-in requirement for sensitive data as a Fortune 500 company. For opt-out signals, Texas requires recognition of "consumer-friendly" universal opt-out mechanisms — broader language than GPC specifically, but operationally requires a separate implementation decision.
Tier 3 — the Virginia cluster includes Virginia, Colorado, Connecticut, and the majority of states that modeled their laws on the Virginia Consumer Data Protection Act (VCDPA). These states share a consistent enforcement architecture: AG-only enforcement, no private right of action, and cure periods intact for most. Like Texas, they require opt-in consent for sensitive data. Unlike California, they have narrower applicability thresholds — Virginia requires processing data of at least 100,000 consumers annually, for example — which means many early-stage startups fall outside their scope until they scale.
What California Compliance Buys You in Other States
The most efficient path through the 20-state patchwork is to build your privacy program to California's CPRA standard first. Because CPRA carries the broadest consumer rights, the most specific consent obligations, and the strictest sensitive data protections of any U.S. state law, a CPRA-compliant program gets you approximately 80 percent of the way to compliance with the other 19 states — a practitioner estimate, not a regulatory safe harbor, but a well-documented one. The remaining 20 percent consists of discrete, patchable gaps rather than a wholesale rebuild.
Three gap categories require state-specific additions on top of any California foundation. First, California's CPRA does not require Data Protection Assessments (DPAs) for high-risk processing activities — but Colorado, Connecticut, and Virginia all do. If your app runs targeted advertising, behavioral profiling, or automated decision-making that produces legal or similarly significant effects, you need DPAs for those activities regardless of whether California requires them. Second, some states define sensitive data more broadly than CPRA. Minnesota includes union membership; Colorado's 2026 amendments added neural data. If your processing inventory does not account for these state-specific categories, you have gaps your California compliance program will not catch. Third, Connecticut's July 2026 amendments require a specific disclosure when personal data is used to train large language models — an obligation that has no CPRA equivalent and is directly relevant to any founder whose product or vendor pipeline touches AI training data.
On opt-out signals, California and Colorado mandate recognition of the Global Privacy Control (GPC). Texas takes a different path: the TDPSA requires businesses to honor "consumer-friendly" universal opt-out mechanisms but does not mandate GPC specifically, meaning your technical implementation for California may not satisfy Texas without a separate configuration.
There is also a structural enforcement reason to prioritize California compliance beyond efficiency. Nine state regulators — California, Colorado, Connecticut, Delaware, Indiana, Minnesota, New Hampshire, New Jersey, and Oregon — operate as the Consortium of Privacy Regulators, sharing investigative information and coordinating enforcement. A single California Privacy Protection Agency investigation can expand to all nine member states without any separate triggering event. Getting California right is not just about California.
Required Elements of a Privacy Notice
Across all 20 active state privacy laws, the required contents of a privacy notice are remarkably consistent. The Texas Attorney General's official TDPSA guidance — which applies to any business with Texas consumers regardless of size — spells out the same five elements that every other state law also demands:
- Categories of personal data you collect. List what you collect — names, device IDs, location data, browsing history, inferences — including any sensitive data categories. Vague language like "information you provide" does not satisfy any state's standard.
- Purpose of processing. Explain why you collect and use each category. "To improve our services" alone is insufficient; states expect enough specificity that a consumer can evaluate whether the use is what they expect.
- Categories of third-party disclosures and sales. Identify the types of third parties (advertising networks, analytics providers, data brokers) with whom you share or sell personal data. You do not need to name vendors, but category-level disclosure is required universally.
- Consumer rights and how to exercise them. All 20 state laws grant consumers rights to access, delete, correct, and obtain a portable copy of their data, plus the right to opt out of sales and targeted advertising. Your notice must describe each right and include the contact method consumers use to submit requests. California and Texas also require recognition of universal opt-out signals — under TDPSA, any "consumer-friendly" opt-out mechanism must be honored, not just the GPC signal California mandates.
- How to submit requests — method and response time. Disclose at least one contact method for rights requests. Texas goes further and requires at least two methods. Most states allow 45 days to respond; California permits a 45-day extension bringing the outer limit to 90 days.
Two states impose timing obligations on top of this baseline. California and Texas both require an at-collection notice — a disclosure at or before the point of data collection, separate from your general privacy policy. A footer link to a long-form privacy policy does not satisfy this requirement on its own.
One notice can cover all 20 states if it includes everything California requires — the strictest baseline — supplemented by state-specific sections. Connecticut's July 2026 update added a disclosure requirement for data used to train large language models, which must appear as a separate provision for any app using LLM features. Use dynamic display or a tabbed state-addendum structure to surface jurisdiction-specific rights to each visitor without bloating the notice for everyone. Founders building for a national audience can find practical guidance on structuring these disclosures at Promise Legal's startup resources.
Building Your Data Inventory — The Foundation Under the Notice
The five elements covered in the previous section require one thing to be accurate: you have to know what data you actually hold. When Texas filed its first TDPSA enforcement action against Allstate's Arity subsidiary, one of the core violations was that consumers were wholly unaware that Arity was harvesting their precise geolocation — because the SDK doing the harvesting was embedded in third-party apps whose owners did not know it was there. A privacy notice that does not reflect what your third-party integrations are actually collecting is not a compliance document; it is evidence of the gap regulators will use against you.
A minimum viable data inventory covers five things for each processing activity: the categories of personal data collected, where that data is stored (including third-party systems), how it flows through your product and to external vendors, retention periods, and who has access. IAPP's guidance on data inventory and mapping is direct on this point: without completing that exercise, building a program that addresses any state's compliance obligations is not meaningfully possible. The format does not need to be elaborate — a spreadsheet with one row per processing activity will satisfy the structure. What matters is that every data flow has a record.
Third-party SDKs, analytics platforms, and advertising pixels are where most inventories break down. Founders integrate tools quickly and rarely audit what those tools collect on their behalf. If the SDK phones home with device identifiers or location data, that collection is yours for notice and consent purposes, regardless of whether you directed it.
High-Risk Triggers: Sensitive Data, Kids, and Targeted Advertising
Nineteen of the twenty state privacy laws require opt-in consent before processing sensitive personal data — health information, biometrics, precise geolocation, racial and ethnic origin, sexual orientation, religious beliefs, and financial data. California alone uses an opt-out model; everywhere else, you need affirmative consent before processing begins, not after. The trap for fintech and e-commerce founders is Texas: the TDPSA expressly includes financial information in its sensitive data definition, and because the TDPSA has no revenue or volume threshold, virtually any business touching Texas consumers' financial data must obtain opt-in consent. Colorado went further in its 2026 amendments, adding neural data to its sensitive data definition — a category that catches wellness and health app founders who had not mapped it as sensitive at all.
Children's privacy operates on multiple overlapping layers. The federal COPPA floor (under 13, verifiable parental consent) was updated in rules effective April 22, 2026 — the amended rule now requires separate opt-in consent specifically for targeted advertising to children, prohibits bundled consent, and mandates a written information security program with annual risk assessments. FTC enforcement is active: recent settlements reached $10 million against Disney and $20 million against Cognosphere for unauthorized children's data collection. COPPA compliance does not discharge state obligations for teenagers. California requires opt-in from minors ages 13 to 15 before selling their data; Montana requires consent for targeted advertising to any known consumer ages 13 to 16. Fifteen states have enacted children's data protections that go beyond COPPA's scope.
Targeted advertising is a separately defined activity under most state laws — Colorado, Connecticut, Virginia, and Texas all treat it as a category requiring consumer disclosure and an opt-out right distinct from data sale. Founders running third-party ad networks commonly trigger this without realizing it, because the definition does not require the founder to receive payment; it covers profiling based on cross-context behavioral data. Colorado, California, and Virginia also require risk assessments before deploying automated decision-making technology in high-stakes contexts including employment, credit, housing, and health — an obligation that applies whether or not any data is sold.
Four Steps to a Multi-State Privacy Program
Most founders reading this article are closer to a defensible privacy program than they realize. The barrier is not the number of state laws or the complexity of the requirements — it is completing the data inventory that makes everything else possible. With that in hand, the path forward follows a clear sequence.
- Run a data inventory. Map every category of personal data you collect, where it is stored (including third-party SDKs and analytics tools), who receives it, and how long you keep it. Until this document exists, you cannot accurately write a privacy notice or assess your exposure.
- Determine which state laws apply. Match your user geography against the thresholds in the 20-state table. Texas and Nebraska apply regardless of your revenue or user volume. California, Colorado, and Connecticut carry the highest enforcement risk and no cure period.
- Build or update your privacy notice. Using your inventory as the source of truth, draft a notice that covers the five required elements — data categories, processing purposes, third-party disclosures, consumer rights, and how to submit requests — built to California's standard with state-specific additions for Texas and the Virginia cluster states.
- If you handle sensitive data or have any minors in your user base — verify your opt-in consent flows and age-gating before anything else. Nineteen states require affirmative consent for sensitive data processing, and the updated COPPA rule took effect April 22, 2026.
National law firm guidance published in 2026 confirms this four-step sequence as the standard approach for multi-state compliance programs. For most early-stage tech companies, completing it takes two to three weeks of focused work. The founders who delay do not have a legal problem — they have a calendar problem.
Need help building your privacy compliance program? Get in touch — we work with tech founders and in-house counsel on CCPA, TDPSA, and multi-state privacy programs.