State Privacy Laws in 2026: A Guide for US Small Businesses

For most of its history, the United States handled consumer data privacy through a patchwork of sector-specific federal laws — HIPAA for health information, COPPA for children’s data online, GLBA for financial services customers — supplemented by the Federal Trade Commission’s general authority to police unfair or deceptive practices. There was no comprehensive federal privacy law, and most businesses operating across state lines dealt only with a relatively modest compliance burden. That landscape has changed significantly. As of 2026, more than a dozen states have enacted comprehensive consumer privacy laws, and more are in progress. For small and medium-sized businesses, understanding which laws apply and what they require has become an essential part of operations.

The Wave of State Privacy Laws

California was the first state to enact a comprehensive consumer privacy law with the California Consumer Privacy Act, which took effect in January 2020 and was significantly amended by the California Privacy Rights Act in 2023. Virginia followed with the Consumer Data Protection Act, effective January 2023. Colorado, Connecticut, and Utah all enacted privacy laws that also took effect in 2023. Texas, Florida, Oregon, Montana, and several other states passed laws that have since taken effect or are scheduled to take effect in the next eighteen months. The overall trend is unmistakable: state legislatures across the country have concluded that consumers deserve meaningful rights over their personal data, and they are acting in the absence of a federal framework.

While these laws share a common architecture — they all grant consumers rights over their data, impose obligations on businesses that collect and use personal information, and establish enforcement mechanisms — they differ in meaningful ways on the details. Thresholds for coverage differ. The scope of sensitive data categories differs. The mechanisms for opting out of the sale or sharing of personal information differ. Whether the law creates a private right of action differs. Small businesses that operate across state lines need to understand both the shared framework and the state-specific differences.

Which Businesses Are Covered?

Every state privacy law includes some form of threshold that determines which businesses are subject to the law. These thresholds are designed to exclude very small businesses from full compliance obligations while still covering those that process significant volumes of personal data.

California’s law covers for-profit businesses that do business in California and meet at least one of three thresholds: annual gross revenue exceeding $25 million; buying, selling, or sharing the personal information of 100,000 or more consumers or households per year; or deriving 50% or more of annual revenue from selling consumers’ personal information. Virginia and Colorado cover businesses that control or process the personal data of 100,000 or more consumers per year, or that process data of 25,000 or more consumers while deriving more than 25% of their revenue from selling personal data. Other states have adopted similar thresholds, with variations.

The practical takeaway for most small businesses is that even a modest online presence can trigger coverage faster than expected. A business that runs a website collecting email addresses, browsing behavior, and purchase history from customers in multiple states may hit the 100,000-consumer threshold without realizing it. Businesses should audit how much personal data they collect, from which states their customers come, and whether their revenue model involves selling or sharing data. The threshold analysis is the starting point for any compliance effort.

Core Consumer Rights Under State Privacy Laws

Most state privacy laws grant consumers a standard set of rights that businesses must be prepared to honor. Understanding these rights is essential because they translate directly into operational requirements.

The right to know or access requires businesses to tell consumers what personal information they have collected about them and, in most states, to provide consumers with a copy of that information upon request. The right to delete requires businesses to delete a consumer’s personal information upon request, subject to certain exceptions. The right to correct allows consumers to ask a business to fix inaccurate personal information. The right to opt out of the sale of personal information gives consumers the ability to stop a business from selling their data to third parties. Many states have expanded this right to also cover the sharing of data for cross-context behavioral advertising — the practice of using a consumer’s browsing history to show them targeted ads — even when no money changes hands in a traditional sale.

Businesses must have mechanisms in place to receive these requests, verify the identity of the person making the request, and respond within the legally required timeframe. Most state laws require responses within 45 days, with the possibility of a 45-day extension for complex or numerous requests. Businesses that do not have any internal process for handling these requests are non-compliant regardless of how good their privacy policy looks.

Sensitive Data: Stricter Rules Apply

Every state privacy law establishes a category of sensitive personal information that requires heightened protections beyond what applies to ordinary personal data. The specific categories vary by state, but most include data relating to racial or ethnic origin, religious beliefs, mental and physical health conditions, sexual orientation or gender identity, citizenship and immigration status, genetic and biometric data, and precise geolocation. California’s law also covers social security numbers, driver’s license numbers, financial account information, and the contents of personal communications.

Sensitive data is subject to opt-in consent requirements in most states, meaning businesses cannot collect or use it unless the consumer has affirmatively agreed. This is a significant difference from the opt-out model that applies to ordinary personal data. If your business collects any information that falls into these sensitive categories — even incidentally — you need to know which state laws apply to you and what consent mechanism those laws require.

Data Processing Agreements with Vendors

State privacy laws distinguish between businesses that determine the purposes and means of processing personal data (called controllers in most laws, or businesses in California’s framework) and the vendors that process data on their behalf (called processors or service providers). If you share personal data with a third-party vendor — a cloud storage provider, a payroll processor, a marketing platform, a customer service software company — most state privacy laws require you to have a written contract in place that governs how that vendor can use the data.

These contracts must generally require the vendor to process the data only for the purposes specified in the agreement, maintain appropriate security measures, assist the business in honoring consumer rights requests, and notify the business of any data breaches. Many businesses are surprised to discover that their existing vendor agreements do not include these provisions, or that vendors have been included as co-processors under a pre-existing privacy law framework that does not satisfy the newer state law requirements. Auditing vendor agreements and updating them to comply with applicable state laws is an important step in any privacy compliance program.

Privacy Notices: What You Must Disclose

Every state privacy law requires businesses to provide consumers with a clear, accessible privacy notice that explains what personal information is collected, why it is collected, how long it is retained, whether it is sold or shared with third parties, and how consumers can exercise their rights. Most laws require the notice to be provided at or before the time of collection.

For businesses that operate websites, the privacy notice is usually published as a privacy policy accessible from the website’s homepage. But the law requires more than just posting a document. The notice must be accurate, meaning it must actually describe the business’s current practices. It must be reasonably specific about the categories of data collected and the types of third parties who receive it. And it must include clear instructions for how consumers can submit rights requests or opt out of data sales or sharing. A generic privacy policy pulled from a template is unlikely to satisfy these requirements without significant customization.

Enforcement: Who Is Watching?

Most state privacy laws are enforced by the state attorney general, which means that enforcement actions are primarily reserved for the most serious violators or those with the highest public profile. California is the exception: it has a dedicated privacy enforcement agency, the California Privacy Protection Agency, which has authority to investigate complaints, issue subpoenas, and assess fines of up to $7,500 per intentional violation. Most states do not yet have a dedicated privacy enforcement agency, but enforcement activity is increasing across the board as more laws take effect and as state attorneys general offices build their privacy enforcement capacity.

Some state laws — most notably California’s law for certain types of breaches — also create a private right of action, allowing consumers to sue businesses directly without going through a government agency. This is a significant source of litigation risk, particularly for businesses that experience data breaches involving unencrypted personal information.

Practical Steps for Small Business Compliance

Getting compliant with state privacy laws does not require an enterprise privacy program, but it does require some deliberate effort. The first step is determining which state laws apply based on where your customers are located and how much of their data you collect. The second step is auditing your data practices: what personal information you collect, why, where it goes, how long you keep it, and who can access it. The third step is updating your privacy policy to accurately describe those practices and to include all required disclosures.

From there, you need a process for receiving and responding to consumer rights requests within the legally required timeframe. You need to review your vendor agreements and add data processing provisions where they are missing. If you use tracking technologies on your website — cookies, pixels, session replay tools — you need to understand whether those constitute the sale or sharing of personal information under applicable state laws, and if so, whether you are providing the required opt-out mechanism.

The final practical reality is that the state privacy law landscape is still evolving. New laws take effect on a regular cadence, courts and regulators are still interpreting the laws that are already in effect, and the California Privacy Protection Agency continues to issue and update regulations. Businesses that build a solid compliance foundation today will be better positioned to adapt as the law continues to develop.