Three months into 2026, the patchwork of US state privacy laws just got bigger. Indiana, Kentucky and Rhode Island all activated their privacy regimes in January, bringing the total to 20 states with enforceable privacy laws. If you run a website that collects personal information from US residents, this matters.
The real headache isn’t just the number of laws. It’s the sheer variety. One state requires opt-out mechanisms; another demands opt-in consent. Consumer thresholds swing from 35,000 people to 100,000 or higher. Enforcement ranges from private rights of action to attorney general enforcement only. And now 11 states require your website to recognize the Global Privacy Control, a universal opt-out signal most people have never heard of.
This landscape is no longer something to monitor passively. It demands action from compliance teams and website operators today.
Which US State Privacy Laws Are Active in 2026
As of April 2026, 20 states have enacted comprehensive privacy laws: California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, Virginia and Washington. More states have legislation moving through their legislatures.
The most recent additions matter most. Indiana’s law, effective January 1, 2026, covers businesses handling personal information of 100,000+ Indiana residents. Kentucky’s law, effective January 1, 2026, uses the same 100,000-consumer threshold. Rhode Island’s privacy law, also effective January 1, 2026, covers businesses controlling data of 35,000+ residents and focuses on the standard consumer rights framework common across state laws.
These newcomers follow patterns established by earlier movers. California’s CCPA (California Consumer Privacy Act) was the trailblazer in 2020, followed by Virginia’s VCDPA in 2021 and Colorado’s CPA in 2022. Each iteration refines the model, yet creates divergence. Virginia requires opt-out by default; Colorado requires service provider agreements; Connecticut restricts profiling and automated decision-making in unique ways. Rhode Island slots somewhere in between.
The key question for your website: Does your traffic include residents from these states in sufficient numbers to trigger compliance obligations?
What These Laws Mean for Your Website
State privacy laws focus on three mechanisms websites must implement: data collection transparency, consumer opt-out rights and data subject access.
Transparency requirements are universal across all 20 states. Your privacy policy must disclose what personal information you collect, why you collect it, how long you retain it and who you share it with. Most states require this disclosure before or at the point of collection. The specificity varies. Some laws demand detailed category breakdowns; others accept broader descriptions. Most websites fail this step by burying disclosures or using vague language that doesn’t meet the specificity regulators expect.
Opt-out mechanisms form the spine of most state laws. Here’s where the CCPA model becomes critical to understand. California uses an opt-out framework: residents have the right to direct you to stop selling or sharing their personal information. You must provide a “Do Not Sell or Share My Personal Information” link on your homepage. When someone clicks that link, you have 45 days to stop selling or sharing their data and verify you’ve done so.
This is fundamentally different from GDPR, which uses opt-in consent. European residents must affirmatively consent before most processing. US state laws largely flip that model. You can process data by default; residents must ask you to stop.
However, not all 20 states follow the opt-out model uniformly. Virginia, Colorado, Connecticut and others grant consumers the right to request deletion, access, correction and opt-out from profiling. Some require affirmative consent for sensitive personal information (like health data or biometric data), even under opt-out frameworks. Your website must reflect these nuances.
Data subject rights require operational changes. When someone requests their data, you have 30 to 45 days to respond, depending on the state. You must provide information in a portable, commonly used format. Verification processes differ by state; some require only email confirmation, while others demand notarization or government ID. Most state laws let you deny requests if they’re manifestly unfounded or excessive. Building intake, verification and fulfillment processes into your website’s workflow becomes non-negotiable.
Universal Opt-Out: The Standard Taking Hold
The newest wrinkle affecting websites is universal opt-out mechanisms. As of 2026, 11 or more states now require websites to recognize the Global Privacy Control (GPC), a signal sent by privacy-focused browsers and extensions.
GPC is a technical standard. When enabled, it sends a signal in HTTP headers indicating the user opts out of sale or sharing of personal information. States including Connecticut, Oregon, California, Colorado, Delaware, Maryland, Minnesota, Montana, New Jersey, New Hampshire and Texas now require businesses to treat GPC signals as valid opt-out requests.
From a website perspective, this means you must:
- Detect the GPC signal in incoming HTTP requests
- Treat it as a binding opt-out request, the same as if someone clicked your “Do Not Sell” link
- Honor it across all data flows, including cookies, pixels and third-party integrations
- Document compliance in your privacy policy
Many websites don’t yet detect or honor GPC. Browsers like Firefox and Brave enable GPC by default, meaning you may already be receiving these signals from your traffic. Ignoring them puts you out of compliance in those 11 states. If you’re not responding to them, you’re out of compliance in those states.
The complexity escalates when you add advertising platforms and analytics vendors into the picture. You collect the GPC signal, but does your Google Analytics integration respect it? Does your ad network? You bear responsibility for communicating opt-out requirements to vendors and verifying they honor the signal. This is where many websites stumble.
The Practical Challenge: Different Rules, One Website
Here’s the central problem most website operators face. You run one website. It serves residents from 20 different states, plus potentially international visitors. Each state demands slightly different behavior.
Coverage thresholds create the first layer of complexity. Delaware, Montana and Nevada apply to any business collecting personal information from residents and doing business in the state, with no minimum threshold. Rhode Island and Indiana use a 35,000-consumer threshold. Virginia uses 100,000. Connecticut uses 100,000. The question becomes: do you track how many residents from each state access your website? How granular is your traffic analysis? Most smaller companies don’t maintain this data, creating compliance exposure.
Enforcement models compound the problem. California grants consumers private right of action, meaning they can sue directly for data breaches. Most other states grant only attorney general enforcement, meaning you face regulatory action but not private lawsuits. This changes your risk profile state by state. Some companies pay more attention to states where consumers can sue.
Technical implementation demands centralized systems. You can’t run 20 different versions of your website. Instead, you need one privacy infrastructure that detects visitor state (via IP geolocation), identifies applicable laws, and dynamically applies the correct opt-out mechanisms, data subject request processes and privacy disclosures.
In practice, this means:
- A single privacy control panel that manages opt-out requests across all states
- Cookie consent tools that reflect different state requirements
- Privacy policy builder logic that pulls in state-specific disclosures
- Data subject request workflows that route to the right verification process by state
- Vendor management to ensure third parties honor state-specific opt-out signals
Most companies build this piecemeal. They add Connecticut compliance, then Virginia, then realize they need to refactor for scalability. By the time they’ve added four or five states, they’re managing technical debt.
Moving Forward: What Your Website Needs Now
If your website collects personal information from US residents, your 2026 compliance checklist should include:
Audit your current state. Run through the 20 state laws applicable to your traffic volume. Identify which states trigger coverage thresholds for your business. Document what you’re currently doing vs. what each state requires.
Implement universal opt-out mechanisms. Start with your homepage “Do Not Sell” link. Make sure it’s conspicuous and functional. Add GPC signal detection. Test it in browsers that enable GPC by default. Verify your ad network and analytics platforms honor the signal.
Review your privacy policy. Generic privacy policies fail state law audits. Each state expects specific disclosures tied to its law. Use a privacy policy template that incorporates state-specific requirements, or hire counsel to review yours.
Build data subject request workflows. Create an intake form on your website that captures deletion, access and correction requests. Set up verification processes and fulfillment timelines that meet the strictest state requirement you’re subject to. Document everything.
Evaluate your vendor contracts. Service providers and data processors must acknowledge their obligations under state laws. Review existing vendor agreements and add state privacy law requirements to new contracts.
Plan for ongoing monitoring. With 20 states and more likely coming, compliance will evolve. Assign someone to track legislative changes and flag new requirements. This is not a one-time project.
If your organization lacks in-house expertise to manage this complexity, tools designed for website privacy auditing can help you understand your technical exposure. Nixon Pro scans your website to identify what tracking loads before consent, which third parties receive visitor data, and where your consent implementation has gaps – all of which feeds directly into your state-by-state compliance work. For ongoing monitoring as your website changes, Nixon Platform alerts you when new scripts appear or consent behavior shifts.
The patchwork of US state privacy laws won’t simplify in 2026. But systematic, methodical compliance across all 20 states is achievable. The cost of ignoring the problem grows each quarter. For a regularly updated overview of which states have enacted laws and their key provisions, the IAPP US State Privacy Legislation Tracker is a reliable reference.
If you need guidance on your specific compliance obligations, get in touch with a compliance specialist who can map your requirements against your traffic and business model.
Related reading: CCPA 2026 compliance: what your website must do now | Universal opt-out mechanisms: how to make your website compliant | CCPA vs GDPR: what website owners need to know about both
