As of mid-2026, twenty U.S. states have comprehensive consumer privacy laws on the books. The federal landscape is still patchwork, the American Privacy Rights Act has not moved, so businesses operating nationally are managing a quilt of overlapping but non-identical state requirements.
Here is a working map for small and mid-market businesses trying to stay compliant without retaining outside privacy counsel year-round.
The starting point: who is covered
Most state privacy laws apply only to businesses above a size threshold. Common triggers:
- Annual revenue of $25 million or more (California, several others).
- Processing the personal data of 100,000 or more state residents per year.
- Deriving 50 percent or more of revenue from selling personal data.
If you are below all the thresholds in every state where you do business, you may technically be outside the scope of the comprehensive laws. But this is a poor planning posture: thresholds get lowered over time, your business will grow, and other obligations (children privacy, health data, biometrics) apply regardless of size.
What the laws actually require
Despite differences, the comprehensive state laws share a common architecture. If your privacy program covers the following, you are 80 percent of the way to compliance everywhere:
A clear privacy notice. What you collect, why, who you share it with, how long you keep it, and what rights consumers have. The notice has to be linked from every page that collects data and from the homepage.
Consumer rights mechanisms. Most laws give consumers the right to know what data you hold about them, the right to delete it, the right to correct it, and the right to opt out of sale or targeted advertising. You need an internal process to verify a request and respond within 45 days.
A data inventory. You cannot honor a deletion request if you do not know where the data lives. The inventory does not need to be elaborate, but it does need to cover every system that holds consumer personal data, the type of data in each, and the retention period.
Vendor contracts with data terms. Anyone you share consumer data with, payment processors, email platforms, analytics tools, hosting providers, needs to be bound by contract terms that limit their use of the data to your instructions. Most major vendors publish a Data Processing Addendum (DPA) you can sign electronically.
A security program. Reasonable administrative, technical, and physical safeguards. Most laws do not specify what reasonable means, but a written information security policy, role-based access controls, encryption at rest and in transit, and a documented incident response plan are baseline.
Where the laws diverge
Three areas where you cannot just use one program for all states:
Sensitive data. Several states (Virginia, Colorado, Connecticut) require opt-in consent before processing sensitive categories, race, religion, sexual orientation, health, biometrics, precise location, and so on. California requires the right to limit use of sensitive data. If you collect any sensitive data, you need a separate workflow for those categories.
Children data. All of the comprehensive laws have heightened protections for data of consumers under 16 or 18, but the thresholds vary. California requires opt-in to sell data of consumers under 16. Connecticut bans targeted advertising to anyone under 18. If you have any reason to know a user is a minor, route them through a stricter flow.
Opt-out signals. California, Colorado, and others require businesses to honor universal opt-out signals like Global Privacy Control (GPC). Your site should detect GPC and apply the opt-out automatically. Most modern consent management platforms handle this; if you are using cookie banners from five years ago, they probably do not.
GDPR is its own animal
If you offer goods or services to EU residents or monitor their behavior, GDPR applies regardless of where you are based, and it is stricter than every U.S. state law on almost every dimension.
The biggest gaps for U.S. businesses adding GDPR compliance are:
- Lawful basis: under GDPR, you need a documented legal basis for every processing activity (consent, contract, legal obligation, vital interest, public interest, or legitimate interest). U.S. laws generally let you process unless the consumer opts out.
- Data subject rights: GDPR gives data subjects rights similar to U.S. laws but with shorter response times (one month, extendable) and more procedural detail.
- Cross-border transfers: data leaving the EU needs a transfer mechanism. For U.S. recipients, the Data Privacy Framework is the standard option if you have self-certified.
- DPO and Article 30 records: if you process at scale or process sensitive categories, you may need a designated Data Protection Officer and a written record of processing activities.
A workable minimum program
For a U.S.-only business operating below GDPR reach:
- Publish a privacy notice that covers the elements every state requires.
- Build (or buy) a consumer request portal that handles right-to-know, delete, and opt-out for all states, with the strictest state rules as the baseline.
- Implement a consent management platform that detects GPC and supports the categories you need.
- Sign DPAs with every vendor that processes personal data on your behalf.
- Maintain a written incident response plan and test it once a year.
- Train customer-facing staff on how to recognize a consumer rights request.
This is not full compliance with every state, but it is a defensible baseline that scales as new states enact laws, and most new state laws are following a similar template.
When to bring in counsel
You do not need a privacy lawyer to run this baseline program. You do need one if you are processing health, financial, or biometric data; entering the EU market; you have had a data breach or near-miss; you are being acquired and the acquirer is doing privacy diligence; or you are building a new product that handles consumer data differently than the rest of the business.
If you are at one of those inflection points and want a privacy attorney in your state, LawSens.ai can match you.