Beyond CCPA: US State Privacy Laws You Need to Know in 2026

The Privacy Law Explosion

In 2020, CCPA was the only comprehensive state privacy law in the US. By 2026, over 15 states have enacted their own privacy legislation, with more in progress. If your website serves visitors across the US, you're likely subject to multiple state laws simultaneously.

Key State Privacy Laws

California (CCPA/CPRA)

The most comprehensive. Opt-out model with "Do Not Sell or Share" rights, GPC support required, CPPA enforcement agency, private right of action for breaches. Applies to businesses with $25M+ revenue or 100K+ consumer data records.

Virginia (VCDPA)

Consumer Data Protection Act. Similar to GDPR in structure. Consent required for processing sensitive data. Opt-out rights for targeted advertising, sale of data, and profiling. No revenue threshold — applies to businesses controlling data of 100K+ Virginia consumers or 25K+ if deriving 50%+ revenue from data sales.

Colorado (CPA)

Colorado Privacy Act. Requires recognition of universal opt-out mechanisms (like GPC). Consent for sensitive data. Applies at 100K consumers or 25K+ with data revenue.

Connecticut (CTDPA)

Similar to Virginia and Colorado. Notable for strong GPC recognition requirements and a broad definition of "sale" that includes targeted advertising.

Texas (TDPSA)

Texas Data Privacy and Security Act. Notable because it has no revenue threshold — applies to any business operating in Texas, except small businesses as defined by the SBA. One of the broadest applicability scopes.

Oregon, Montana, Delaware, Iowa, Tennessee, Indiana, New Hampshire, New Jersey, Kentucky, Maryland, Minnesota, Nebraska

All have enacted privacy laws between 2023 and 2026, each with variations on consumer rights, business obligations, and enforcement mechanisms.

Common Requirements Across States

Despite differences, most state laws share these requirements:

• Privacy policy disclosure — What data you collect, why, and who you share it with
• Opt-out of targeted advertising — Users must be able to stop cross-site ad tracking
• Opt-out of data sales — If you sell personal data, provide an opt-out
• Data access and deletion rights — Users can request their data and ask for it to be deleted
• Universal opt-out recognition — Several states explicitly require honouring GPC signals

How to Comply with All of Them

The practical approach is to implement the highest common denominator: if you comply with GDPR (the strictest) and CCPA (the most detailed US law), you're covered for essentially all state laws. The key requirements are:

1. A consent mechanism that blocks tracking before opt-in (covers GDPR)
2. A "Do Not Sell or Share" opt-out link (covers CCPA + state laws)
3. GPC signal recognition (covers California, Colorado, Connecticut, and more)
4. A comprehensive privacy policy with data practices disclosure
5. Data subject request handling (access, deletion, correction)

LegalBanner's Multi-Jurisdiction Approach

LegalBanner automatically detects visitor location and applies the appropriate compliance framework. EU visitors see a GDPR consent banner. California visitors see CCPA opt-out options. Visitors from other US states see the relevant interface. All from one script tag, zero configuration.