State privacy laws taking effect in the US in 2026$1 spent
$1.41 spent
state
law_name
effective_date
status
applicability_thresholds
primary_source_url
notes
Rhode Island
Rhode Island Data Transparency and Privacy Protection Act
2026-01-01
Enacted Law
Applies to businesses controlling/processing data of at least 35,000 Rhode Island consumers, or 10,000 consumers if at least 20% of gross revenue is from the sale of personal data.
Has notably lower thresholds than other 2026 laws. Reportedly does not include a cure period. Covers commercial websites and ISPs.
Utah
Utah Consumer Privacy Act Amendment (HB 418)
2026-07-01
Enacted Amendment
Amends UCPA (applies to businesses with $25M+ revenue and 100k consumers or 25k if 50% revenue from sale). Specific provisions for social media companies.
Prohibits targeted advertising to minors. Requires verifiable consent for teens aged 13-16. Modeled on "COPPA 2.0" framework.
Nebraska
Nebraska Age-Appropriate Online Design Code Act
2026-01-01
Enacted Law
Applies to online services with actual knowledge of minor users or where at least 2% of users are minors. Thresholds were reportedly broadened in 2026.
Requires high default privacy settings for minors. Limits data targeting. Part of the Age-Appropriate Online Design Code Act.
Indiana
Indiana Consumer Data Protection Act
2026-01-01
Enacted Law
Applies to businesses that control/process data of at least 100,000 Indiana consumers, or 25,000 consumers if more than 50% of gross revenue is derived from the sale of personal data.
Enforcement is exclusive to the Attorney General; provides no private right of action. Contains a 30-day right to cure.
Kentucky
Kentucky Consumer Data Protection Act
2026-01-01
Enacted Law
Applies to businesses that control/process data of at least 100,000 Kentucky consumers, or 25,000 consumers if more than 50% of gross revenue is derived from the sale of personal data.
Enforcement is exclusive to the Attorney General. Includes a mandatory cure period and creates a specific consumer privacy fund.
Oregon
Oregon Consumer Privacy Act Amendment (HB 2008)
2026-01-01
Enacted Amendment
Amends the OCPA (which generally applies to businesses with 100k consumers or 25k if 25% revenue from sale). Specific 2026 prohibitions apply to minor data and precise geolocation.
Establishes a strict 30-day deadline for consumer breach notifications and a 15-day deadline for reporting to the Attorney General.
Maryland
Maryland Online Data Privacy Act
2026-04-01
Enacted Law
Applies to businesses controlling/processing data of at least 35,000 Maryland consumers, or 10,000 consumers if at least 20% of gross revenue is from the sale of personal data.
Applies to entities using, developing, or deploying AI systems in Texas. Incorporates thresholds and requirements from existing Texas privacy statutes.
Prohibits harmful AI uses and clarifies biometric consent rules. Establishes a regulatory framework for AI governance in the state.
Colorado
Colorado Privacy Act Amendment (HB 24-1130)
2026-02-01
Enacted Amendment
Applies to any entity controlling or processing biometric data of Colorado consumers, regardless of general CPA numerical thresholds.
https://leg.colorado.gov/bills/hb24-1130
Specific provisions for biometric identifiers and children's privacy become effective in February 2026. Requires explicit consent for biometric processing.
California
California Consumer Privacy Act Regulations (2026 Package)
2026-01-01
Enacted Amendment
Applies to businesses meeting CCPA thresholds ($25M+ revenue, 100k+ consumers, or 50%+ revenue from sale/share).
https://cppa.ca.gov/regulations/
Introduces mandatory risk assessments and cybersecurity audits. Establishes new rules for consumer consent and opt-out rights.
