The US state privacy law patchwork now covers half the country — and businesses are running out of time to adapt

When California's Consumer Privacy Act (CCPA) took effect in January 2020, it was the first comprehensive consumer data privacy law in the United States — and many assumed it would be quickly followed by federal legislation that would create a uniform national standard. Six years later, federal privacy legislation remains stuck. What has emerged instead is a state-by-state patchwork that now covers the majority of the US population, with material differences in rights, enforcement, and applicability thresholds that have turned privacy compliance into a significant operational challenge.

Where the patchwork stands

By 2026, comprehensive state privacy laws are in effect or imminent in more than 20 states, including California (CCPA/CPRA), Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Indiana, Tennessee, Iowa, Florida, Delaware, New Hampshire, New Jersey, Kentucky, Maryland, Nebraska, Minnesota, Rhode Island, and several others that have passed laws with future effective dates.

The laws share a common architecture borrowed from GDPR: consumers have the right to know what data is collected about them, the right to delete it, the right to opt out of the sale of their data, and the right to correct inaccurate data. But the details differ significantly across states in ways that matter for compliance programs.

Applicability thresholds vary widely. California's CPRA applies to businesses with annual gross revenue over $25M, that process data on 100,000+ consumers, or that derive 50% of revenue from selling data. Texas's TDPSA applies to any business that processes data of Texas residents, with no revenue threshold — a significantly broader reach. The Oregon Consumer Privacy Act applies to businesses that process data on 100,000+ Oregon consumers or derive revenue from processing data of 25,000+ consumers. A company that's not subject to California's law might be fully subject to Texas's and Oregon's.

The "sale" problem

All US state privacy laws give consumers the right to opt out of the "sale" of their personal data, but state definitions of "sale" diverge in ways that substantially affect which business practices require opt-out mechanisms.

California's CPRA defines "sharing" separately from "sale" to capture behavioral advertising even when no money changes hands — a company sending user data to an ad network that doesn't pay for it is still "sharing" under California's definition, and consumers can opt out. Many other states use a narrower definition tied to monetary consideration, which means behavioral advertising flows that require opt-out in California don't trigger the opt-out requirement in Virginia.

This divergence puts businesses that operate nationally in a difficult position. Calibrating consent flows to California's broad definition and applying them nationwide is operationally simpler than state-specific flows, but may be more restrictive than legally required in states with narrower definitions. Calibrating to each state's specific requirements is more permissive but requires maintaining state-specific logic across the data stack.

Data brokers face specific pressure

Data brokers — companies that collect and sell personal information from a variety of sources — are facing increasing state-specific regulation beyond the general consumer privacy frameworks. California's Delete Act (SB 362), which took full effect in 2026, requires registered data brokers to honor deletion requests submitted through a single state-run portal rather than requiring consumers to contact each broker individually. Texas, Oregon, and several other states have enacted or are developing similar registration and opt-out requirements for data brokers.

The practical effect is that data brokers who previously benefited from the friction of per-broker deletion requests now face consolidated deletion mechanisms that consumers can actually use. Industry data suggests deletion request volumes have increased substantially since California's centralized mechanism went live — which is the mechanism working as intended, but creates significant operational burden for brokers who need to process requests across their entire data pipeline.

Sensitive data: where the rules are strictest

All US state privacy laws treat certain categories of data as "sensitive" and impose stricter requirements — typically opt-in consent rather than opt-out. The categories broadly include biometric data, health data, precise geolocation, financial data, race and ethnicity, religious beliefs, sexual orientation, and children's data. But the specific definitions and requirements vary by state.

Precise geolocation is particularly contested. California requires opt-in consent for collecting "precise geolocation data" defined as within 1,850 feet (~550 meters). Texas uses a similar radius. Some states haven't specified a radius, leaving the threshold ambiguous. For apps that use location features — navigation, local search, weather, fitness — the compliance question of whether they're collecting "precise" geolocation depends on which state's law applies.

What federal legislation would and wouldn't solve

The American Privacy Rights Act (APRA) — the most recent federal privacy bill to gain serious momentum — would preempt state laws in many areas, creating a national floor for consumer rights. It includes data minimization requirements (you can only collect what's necessary for your stated purpose), strong opt-out rights for targeted advertising, and a private right of action for consumers to sue for violations.

Opponents from both industry (concerned about the private right of action and strict data minimization requirements) and consumer advocates (who want stronger protections than the federal bill provides) have stalled it repeatedly. The patchwork is likely to continue expanding for at least the near term.

Practical compliance in a patchwork

For businesses navigating the patchwork, the practical approach most compliance programs have settled on is "highest common denominator with selective calibration." Apply California's framework broadly — it's generally the strictest and covers the largest population — and document where other states have specific requirements that differ.

The operational investments that pay off most consistently are: a comprehensive data inventory (you can't comply with data rights requests if you don't know where the data is), a consent management platform that can serve state-appropriate consent flows, a process for honoring deletion requests across the full data pipeline (not just the primary database), and a documented lawful basis for each category of data processing. These investments are valuable regardless of which states' laws apply and create the foundation for handling whatever new requirements emerge in the next legislative cycle.