If you’ve been paying attention to the regulatory world over the last few years, you’ve probably noticed that data privacy is no no longer only a concern for massive technology companies. Today, businesses of every size are being asked to think carefully about how they collect, store, process, and protect personal information.
One question I hear regularly is: what 20 states have passed their comprehensive data privacy law?
It’s a fair question.
In the absence of a single federal privacy law, states across the United States have taken matters into their own hands. The result is a growing patchwork of comprehensive privacy laws that businesses have to navigate, especially if they operate across multiple states.
As of 2026, 20 states have enacted comprehensive data privacy laws designed to give consumers more power over their personal data and establish obligations for businesses that collect and process information.
Why States Are Passing Comprehensive Privacy Laws
Today, data is one of the most valuable resources for businesses.
Companies collect customer names, email addresses, browsing behavior, purchase history, geolocation information, and in some cases, even more sensitive information. While the data can help businesses improve services and customize experiences, it also creates big privacy and security concerns.
Based on my experience, many business owners don’t realize just how much consumer data they collect until they start conducting a privacy review.
That’s when things get interesting.
Comprehensive data privacy laws are designed to provide stronger privacy protections for consumers while forming clear rules for organizations that handle personal data. These privacy laws typically address:
- Consumer privacy rights
- Data processing requirements
- Data security obligations
- Sensitive data protections
- Business transparency requirements
- Consumer opt-out rights
- Enforcement authority for state regulators
The overall goal is simple: give residents more control over their private data.
How Many US States Have Passed Comprehensive Privacy Laws?
As of 2026, 20 states have passed comprehensive privacy laws. These laws vary slightly from state to state, but they generally share common principles regarding consumer privacy, personal data, and business accountability.
The 20 states are:
- California
- Virginia
- Colorado
- Connecticut
- Utah
- Iowa
- Indiana
- Tennessee
- Texas
- Florida
- Oregon
- Delaware
- Montana
- New Jersey
- Maryland
- New Hampshire
- Nebraska
- Kentucky
- Minnesota
- Rhode Island
These states have enacted comprehensive data privacy laws that provide various consumer protections and establish obligations for businesses collecting and processing data.
A Closer Look at the 20 States
California
California was the first state to adopt a modern comprehensive privacy law through the California Consumer Privacy Act and later the California Privacy Rights Act.
California’s privacy legislation has become the model that many other states have referenced when drafting their own privacy laws. It grants consumers significant control over personal information and imposes substantial compliance requirements on businesses.
Virginia
Virginia became the second state to pass a comprehensive privacy law.
The Virginia Consumer Data Protection Act focuses on consumer rights, data protection assessments, and limitations on processing certain categories of personal data.
Colorado
The Colorado Privacy Act introduced several consumer privacy protections, including rights related to access, correction, deletion, and portability of personal information.
Connecticut and Utah
These states followed closely behind California, Virginia, and Colorado.
Their privacy laws generally mirror many of the same consumer protections while adding state-specific requirements for businesses functioning within their jurisdictions.
Iowa, Indiana, and Tennessee
These states continued the expansion of comprehensive privacy legislation throughout the Midwest and South.
While frequently considered more business-friendly than California’s approach, they still form clear standards for data privacy and consumer protection.
Texas and Florida
Texas and Florida both passed major privacy legislation that impacts large organizations handling significant amounts of personal data.
Texas, in particular, became one of the largest states outside California to implement comprehensive privacy requirements.
Oregon, Delaware, and Montana
These states adopted comprehensive privacy laws that strengthened protections around sensitive data, consumer rights, and business transparency.
Oregon’s law is often viewed as one of the stronger state privacy frameworks currently in place.
New Jersey, Maryland, and New Hampshire
These states continued the trend in 2024 by adopting comprehensive data privacy legislation to provide residents with stronger privacy protections and greater oversight of how companies manage personal information.
Nebraska
For Nebraska businesses, the Nebraska Data Privacy Act represents a significant development.
The law grants residents rights to access, correct, and delete personal information. Consumers may also opt out of certain data-processing activities, such as targeted advertising and profiling. The law became effective January 1, 2025.
Kentucky
Kentucky’s privacy law applies to organizations that meet certain data-processing thresholds and provides consumer protections similar to those in many other state privacy laws.
Minnesota
Minnesota’s law includes unique provisions that allow consumers to challenge certain automated decision-making procedures and profiling activities.
As artificial intelligence becomes more common, these protections may become increasingly important.
Rhode Island
Rhode Island became the twentieth state to enact comprehensive privacy legislation.
The law provides consumer rights regarding access, correction, deletion, and portability of personal information while granting enforcement authority to the state’s attorney general.
What Rights Do Consumers Typically Receive?
Although each privacy law differs somewhat, most comprehensive privacy laws provide consumers with similar protections.
These commonly include:
- Right to access personal data
- Right to correct inaccurate information
- Right to delete personal data
- Right to receive copies of data
- Right to opt out of targeted advertising
- Right to opt out of data sales
- Right to opt out of certain profiling activities
Many states also provide enhanced protections for sensitive data such as:
- Health information
- Biometric data
- Precise geolocation data
- Information about children
- Financial information
These protections continue to evolve as privacy legislation matures.
Do All 50 States Have Data Breach Notification Laws?
Yes.
While only 20 states have enacted comprehensive privacy laws, all 50 states have some form of data breach notification law.
These laws generally require organizations to notify affected residents when certain types of personal information are exposed during a security incident.
However, data breach notification laws are different from comprehensive privacy laws.
A breach notification law focuses on what happens after a security event occurs.
A comprehensive privacy law governs how businesses collect, process, store, share, and protect personal data before a breach ever happens.
That distinction matters.
A company can fully comply with breach notification requirements while still violating broader privacy obligations under state privacy legislation.
What This Means for Businesses
The growing number of comprehensive data privacy laws creates both difficulties and opportunities.
For organizations operating in multiple states, compliance becomes more complicated as each state introduces slightly different requirements, exemptions, definitions, and enforcement mechanisms.
I’ve seen many organizations assume that privacy compliance is only relevant to large corporations. In reality, many small and midsize businesses collect enough personal information to trigger state privacy requirements.
Some practical steps businesses should consider include:
- Conducting data inventories
- Reviewing privacy policies
- Mapping data processing activities
- Evaluating third-party vendors
- Strengthening security controls
- Developing consumer request procedures
- Monitoring new legislation
The privacy world continues to change quickly.
Final Thoughts
So, what 20 states have passed their comprehensive data privacy law?
As of 2026, the list includes California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Texas, Florida, Oregon, Delaware, Montana, New Jersey, Maryland, New Hampshire, Nebraska, Kentucky, Minnesota, and Rhode Island.
And that list will likely continue to grow.
More states have active privacy bills under consideration, and the pressure for stronger consumer privacy protections continues to increase every year. For businesses, keeping informed about comprehensive data privacy laws is no not optional. It’s becoming a fundamental part of managing risk, protecting buyer trust, and upholding compliance in an increasingly data-centric world.
