State privacy law compliance is no longer a legal footnote – it is a board-level financial exposure that grew by billions of dollars in the last twelve months. In 2025, US states issued an estimated $3.425 billion in privacy-related fines , according to Gartner, more than the previous five years combined. On July 1, 2026, three states changed the rules again, and many organizations that touch US consumer data inherited new or expanded compliance obligations overnight.
This is the operating reality for US data leaders: roughly twenty state data privacy laws are now in effect , with more enacted and coming online, and no federal law to unify them. The American Privacy Rights Act stalled in the 118th Congress; Congress.gov lists H.R. 8818 as introduced and referred to the House Committee on Energy and Commerce. The patchwork won. What follows is the baseline model EWSolutions uses to turn fifty jurisdictions into one governance program.
Who this guide is for: it is written for the US data leaders accountable for that exposure, the chief data officers, chief information security officers, general counsel, and privacy program owners who need to know what changed, what it costs, and exactly what to do in the next 90 days.
What Changed on July 1, 2026
Three states, Connecticut, Arkansas, and Utah, activated new or expanded privacy obligations on July 1, 2026, and the Connecticut changes alone pull thousands of additional businesses into scope. If you assumed your last compliance review still holds, it does not. Here is the plain-language breakdown of the July 1, 2026 developments and why each one matters for companies operating across state lines.
Connecticut
Arkansas
Utah
Connecticut lowered the bar and raised the stakes
The Connecticut Data Privacy Act amendments are the most consequential of the three, and not because they add a single new consumer right. They change who the law applies to. The applicability threshold dropped to 35,000 Connecticut consumers, down from 100,000. That single number brings a large tier of mid-market companies into scope for the first time, particularly those that never treated state data privacy laws as their concern.
Connecticut also expanded its broad definition of sensitive data to include neural data and government-issued identification numbers. Selling sensitive data now requires affirmative consent, an opt-in rather than an opt-out. And privacy notices must now disclose whether personal data is used to train large language models, one of the first state mandates to connect privacy notices directly to AI. For any business that relies on online advertising or online monitoring to build audiences, that disclosure requirement is a direct signal that sensitive data processing is under a brighter light. Connecticut’s CTDPA grants consumers the right to data portability alongside access, correction, and deletion, and enforcement can carry civil penalties of up to $5,000 for each willful CUTPA violation , which can compound fast across a customer base.
Arkansas added minors-focused online privacy rules
Arkansas’s July 1, 2026 development was not an omnibus consumer privacy law. It was the state’s Children and Teens’ Online Privacy Protection Act, which applies to for-profit operators of websites, applications, and online services directed to children or teens, or operators with actual knowledge that they collect minors’ personal data. The law creates a two-tier consent framework for minors and prohibits targeted advertising based on minors’ personal data.
Utah added social media portability and interoperability teeth
The Utah Consumer Privacy Act picked up new social media data portability and interoperability requirements. Utah has historically been one of the more business-friendly state privacy regimes; the July additions narrow that gap in the social media context and confirm that even lighter-touch privacy laws are trending toward more consumer control, not less.
The states are diverging by design
States are not converging on a single standard. They are amending in different directions, lowering thresholds, and bolting on AI-specific and sensitive-data rules at their own pace. That divergence is the core compliance problem for 2026, and it is why treating each state law as a separate project fails.
The 2026 CCPA Regulations Executives Cannot Ignore
California’s amended CCPA regulations took effect January 1, 2026, and they convert privacy from a notice-and-consent exercise into a documented risk-management discipline with hard filing deadlines. For any enterprise with California residents in its customer base, this is the single largest operational change of the year. The California Privacy Protection Agency finalized rules covering three new obligations that map almost exactly to functions your data governance team already owns, or should.
January 1, 2027
Automated decision-making technology rules
By January 1, 2027, businesses using automated decision-making technology to make significant decisions about consumers must provide notice and honor an opt-out. If you deploy AI or algorithmic scoring for hiring, lending, housing, education, employment compensation, or healthcare services, this clause has your name on it. The regulatory trigger is ADMT used to make a significant decision concerning a consumer, as defined in the CPPA regulations.
Eighteen months of work stands behind these deadlines
The phased schedule rewards teams that start immediately. The reason regulators extended these deadlines is that the underlying work, data mapping, assessment methodology, and vendor review, takes eighteen months to do properly. Teams that treat 2028 as the start date will miss it. The significant developments here are procedural, not just substantive: California has told enterprises exactly how it will judge whether they ensure compliance, and the answer is documentation.
The Full Map: State Privacy Laws, State by State
The three July changes do not exist in isolation. They sit on top of a fast-growing base of state privacy laws, and understanding that base is the difference between scoping your risk correctly and guessing. Below is how the most consequential state-level privacy laws now interact for companies with a national footprint.
Colorado
Oregon
Nebraska
New Jersey
Virginia
Texas
Washington
The Colorado Privacy Act
It remains one of the strictest of the state data privacy laws, with universal opt-out honoring, mandatory data protection assessments, and civil penalties up to $20,000 per violation. Colorado also amended its statute to add protections for biometric identifiers and children’s data, and its rules on profiling and behavioral tracking are among the most detailed in the country. Companies operating in Colorado should treat its assessment requirements as a national template rather than a local exception. In the EWSolutions Baseline, Colorado’s assessment standard becomes the default that every other state inherits, which is why we scope to it first.
The Oregon Consumer Privacy Act
Oregon’s law is notable for two reasons. First, it gives consumers the right to obtain a list of the specific third parties that received their personal data, a transparency mandate that most state privacy laws stop short of. Second, its youth-safety rules bar the sale of personal data when a controller knows, or willfully disregards, that a consumer is under sixteen. Oregon treats willful blindness as a liability, which raises the heightened risk for any platform that collects data from young users.
Nebraska and the small-business reach
Nebraska’s privacy law applies to any business that processes or sells personal data and is not a small business under federal standards, with no consumer-number threshold at all. Because Nebraska’s privacy law applies so broadly, companies that escaped other state data privacy laws on volume thresholds can still fall squarely inside Nebraska’s scope. It is a reminder that thresholds are not a reliable shield. What most programs miss here is that a no-threshold statute like Nebraska’s quietly redraws the entire in-scope map, which is why the Baseline keys on residency rather than volume.
New Jersey and the rulemaking wave
New Jersey’s privacy law took effect in 2025 and its implementing regulations continue to expand. New Jersey’s privacy law is significant because it grants rulemaking authority that lets the state add compliance obligations without new legislation, and its treatment of sensitive personal information, including financial account data and precise geolocation, is broader than most peers. National operators, particularly those with large consumer datasets, should watch New Jersey’s privacy law the way they watch California: as a source of ongoing rules, not a fixed target.
Virginia and the model that started the wave
The Virginia Consumer Data Protection Act was passed on March 2, 2021, and became the template that most later state privacy laws followed. Virginia’s VCDPA allows consumers to correct inaccuracies in their data, along with the rights to access, delete, and opt out of targeted advertising. Virginia’s law allows fines up to $7,500 per violation, enforced by the state attorney general with no private right of action. For national operators, the Virginia model remains the baseline that stricter state regimes build on.
Texas and the enforcement frontier
Texas pairs a broad consumer privacy law with an aggressive attorney general and its own AI governance act. Texas has no small-business safe harbor tied to consumer counts, which means many companies operating there are covered even at modest scale. Its enforcement posture is among the most active in the country, and Texas has secured privacy-related settlements measured in the billions. Texas also requires data brokers to register with the Secretary of State, mirroring California’s registration regime.
Washington and the health-data exception
Washington’s My Health My Data Act sits outside the standard omnibus-privacy-law model and defines consumer health data broadly enough to catch companies that never considered themselves health businesses. It carries a private right of action, which creates heightened risk and makes it one of the highest-exposure state data privacy laws in the country for any business that touches health-adjacent data such as fitness, wellness, or reproductive information. In the Baseline we treat Washington’s health-data definition as a separate exposure track, because its private right of action makes it the one state where a scoping error invites litigation rather than a regulator inquiry.
How many state privacy laws are now in effect?
As of mid-2026, roughly twenty state privacy laws are in effect, with several more enacted and phasing in over the next two years. No two are identical. The practical takeaway for US data leaders is that the number will keep climbing, so the goal is not to memorize each state privacy law but to build a program that absorbs the next one as a configuration change.
Sensitive Data: The Category That Triggers the Strictest Rules
Across every state consumer-privacy statute, one category consistently carries the strictest rules: sensitive data. This is where affirmative consent, mandatory assessments, and the largest penalties concentrate, and it is where sensitive data processing decisions most often become enforcement exposure.
Sensitive personal information now carries stricter rules almost everywhere. The typical broad definition includes racial or ethnic origin, national origin, religious beliefs, health and financial information, precise location data, immigration status, and details about a consumer’s sex life or sexual orientation. National origin and sex life sit inside this list in most state data privacy laws, and mishandling such data is the fastest route from a technical gap to a regulatory action.
Biometric identifiers and genetic or biometric data
Biometric identifiers deserve their own attention. Fingerprints, faceprints, voiceprints, and retina scans are biometric identifiers, and genetic or biometric data is treated as sensitive across nearly every state privacy law. Genetic data, such as DNA sequences and ancestry results, is one of the most tightly regulated inputs, and samples collected by consumer testing services often fall under dedicated state genetic-privacy statutes as well. Illinois pioneered private-lawsuit exposure for biometric identifiers, and the newer state data privacy laws have followed by requiring affirmative consent before any such data is collected or sold. When these inputs feed a model, the sensitive data processing rules and the AI rules apply at the same time, which is why it is now the single most litigated sensitive category.
Neural data, precise location, and the new frontier
Connecticut’s July amendments added neural data to the sensitive list, and location data has become a standing enforcement target because it can reveal medical visits, worship, and protest activity. Precise location data, biometric identifiers, and neural data now share the same rulebook: collect them only with informed consent and document a clear minimization purpose.
Most states now require informed consent before sensitive data is collected or sold, engineered as an opt-in rather than a buried disclosure. Informed consent is not a checkbox; regulators expect a clear, specific, and revocable choice. Building informed consent correctly once, and applying it to every sensitive category, is far cheaper than retrofitting it under an enforcement deadline.
Data Brokers, Data Collection, and Online Monitoring
The states are not only regulating what you hold. They are regulating how you acquire it, and data brokers now sit at the center of that scrutiny.
Data brokers: inherited exposure you did not create
A data broker is a business that knowingly sells personal data about consumers with whom it has no direct relationship. California’s Delete Act forces registered data brokers to honor a single deletion request routed through a central platform, and other states are drafting similar registries. If your data collection pipeline buys audiences from these vendors, you inherit their exposure, because every downstream use of that data is still your data collection to defend. Data brokers are also the most common source of the records that end up in profiling and online advertising systems.
Data minimization as a control
The cheapest control in privacy is not to collect data you do not need. Data minimization means data you never collected cannot be breached or fined against, and it is the most consistently ignored discipline in the field. Practiced properly, data minimization shrinks the surface area for data breaches, reduces the volume of consumer requests you must service, and cuts the number of data elements an auditor can question. Every enterprise that decides to collect data at scale should pair that decision with a documented reason and a deletion schedule.
Federal Baselines Still in Force
State law does not operate in a vacuum. Several federal statutes still impose their own compliance obligations on top of the state patchwork, and ignoring them is a common and expensive mistake.
HIPAA and the Health Insurance Portability and Accountability Act
HIPAA governs protected health information held by covered entities such as providers, plans, and clearinghouses, along with their business associates. If your organization is one of these covered entities, HIPAA sets a floor, but the newer state health-data laws often reach further, catching data HIPAA never contemplated.
The Video Privacy Protection Act
The Video Privacy Protection Act (VPPA), a 1988 statute, has become one of the most active litigation vehicles in digital privacy. It restricts sharing a consumer’s video-viewing history, and plaintiffs now use it against any website that streams video and runs advertising pixels. If you embed video and share viewing data with an ad platform, the VPPA is a live exposure, not a historical footnote.
Gramm-Leach-Bliley, financial institutions, and credit reporting
Financial institutions remain governed by the Gramm-Leach-Bliley Act, which requires them to disclose information-sharing practices and protect customer data. Separately, the Fair Credit Reporting Act governs consumer reporting agencies and anyone who uses a credit report for eligibility decisions. Most state data privacy laws exempt data already regulated by these federal regimes, so financial institutions and credit reporting activities require careful mapping to avoid either double-counting obligations or missing a gap. New York’s SHIELD Act, formally a data security act, adds another layer by requiring reasonable safeguards for private information.
Why sectoral law does not cover the gap
The federal statutes are sectoral: they protect specific data in specific hands. The state-level privacy laws are horizontal: they protect consumers regardless of industry. That structural difference is exactly why a company can be fully HIPAA-compliant and still fail a state privacy audit, and why the permitted disclosures allowed under one regime are not automatically allowed under another.
Why the Patchwork Is Now a Board-Level Risk
Enforcement stopped being theoretical in 2025, and the dollar figures now belong in the risk register, not the legal memo. The era of warning letters and voluntary cure periods is closing, and the enforcement mechanisms available to state regulators have sharpened.
The penalties compound per violation, not per incident.
California assesses up to $7,988 per intentional violation, Texas up to $7,500, and Colorado up to $20,000. A single systematic failure, a broken “Do Not Sell” link across a customer base, multiplies into thousands of individual violations.
Beyond Gartner’s $3.425 billion fine estimate for 2025,
The opt-out right is the enforcement magnet
Nearly every public enforcement action so far has centered on the opt-out right: broken preference links, ignored universal opt-out mechanism signals such as Global Privacy Control, or consent interfaces designed to make opting out harder than opting in. If your organization cannot demonstrate that it honors Global Privacy Control signals today, that is your highest-probability enforcement exposure, and it is fixable this quarter. Regulators frame these cases as a direct failure to protect consumers, which plays badly with both the public and the board.
The private-right-of-action exceptions that matter
Most state privacy laws reserve enforcement to the state attorney general and provide no private right of action, but the exceptions matter enormously. California grants a limited private right of action for certain data breaches, and Washington’s health-data law grants a broad private right of action that plaintiffs’ firms are actively testing. Illinois biometric law is the original private right of action model. Where a private right of action exists, the exposure is no longer capped by regulator bandwidth, and a single incident can generate class litigation. Consumers who suffer identity theft or measurable losses from a breach are exactly the plaintiffs these statutes were written to empower, and such claims move quickly once an incident is disclosed.
Children’s Privacy: A Fast-Moving Fault Line
Children’s data draws its own heightened protections, and children’s privacy is one of the fastest-moving areas of the state data privacy laws. Oregon now bars the sale of personal data when a controller knows, or willfully disregards, that a consumer is under sixteen, and Connecticut’s age-appropriate design requirements tighten the same year. Actual knowledge is no longer a safe harbor; willful blindness is now a liability. For any consumer platform, children’s privacy has moved from a compliance edge case to a board-level reputational and legal exposure.
The Baseline Model: One Program, Fifty Jurisdictions
The strategic error most enterprises make is managing state privacy law compliance as fifty separate projects. The correct move is to build one governance baseline that satisfies the strictest common denominator and layer state-specific exceptions on top. This is the EWSolutions State Privacy Baseline, and it is the difference between a program that scales and one that fractures with every new amendment.
The logic is simple. State laws differ at the edges, but they share a hard core. Build to the core once. The EWSolutions State Privacy Baseline rests on six operating pillars.
The measurable outcome
EWSolutions reports that its proprietary governance methodology has reduced program costs by more than 91% versus conventional approaches across documented engagements. Applied to state privacy compliance, the same baseline logic is to build the shared governance core once and treat each new state privacy law as a delta rather than a rebuild; the figure should be read as an EWSolutions-reported engagement benchmark, not a guaranteed dollar outcome.
David Marco, PhD, President & Executive Advisor at EWSolutions, frames privacy readiness as a data governance problem: organizations need clear ownership, documented lineage, and defined accountability, not only legal policy language. The baseline works because it is built on the data governance capabilities the enterprise needed anyway (EWSolutions data governance services ).
What US Data Leaders Do Next
90-Day Executive Sequence
You do not need to solve twenty laws this quarter. You need to close the three gaps that generate the most enforcement risk, then stand up the baseline. Here is a 90-day executive sequence that helps you ensure compliance without trying to fix everything at once.
Confirm universal opt-out actually works
Test that Global Privacy Control signals are honored end to end, across web and mobile, today. This is the single most-enforced control and the fastest to remediate, and demonstrating it is the clearest proof that you protect consumers.
Re-run your applicability map
Connecticut’s drop to 35,000 consumers means your last scoping exercise is stale. Identify every state privacy law that now applies based on consumer residency and volume; remember that Nebraska’s privacy law applies with no threshold at all, so businesses operating there are in scope regardless of size.
Assign a named owner
Compliance without an accountable executive is a wish. Name the person responsible for the privacy program and give them authority over data, not just policy.
Inventory sensitive and AI-touched data
Locate where biometric identifiers, consumer health data, precise geolocation, and any personal data feeding AI or automated systems live. These are the highest-scrutiny categories under the 2026 rules, and genetic or biometric data should top the list.
Stand up standing assessments
Adopt one data protection assessment template and run it on every high-risk activity. California’s deadlines make this non-negotiable, and every other state rewards the same discipline for sensitive data processing.
Rationalize vendors and data collection
Confirm data processing agreements are in place and current with every processor, audit which data brokers feed your systems, and cut data collection flows that no longer serve a documented purpose. Run these six in sequence and you convert a sprawling legal problem into a governed operating capability, one that absorbs the next state law as a configuration change rather than a fire drill.
Sensitive Data, Minors, and AI: The 2026 Fault Lines
The states are converging fastest on three high-risk categories: sensitive personal data, children’s data, and AI processing. These are where 2026 penalties will concentrate, and executives who prioritize here are protecting both consumers and the balance sheet. Connecticut’s mandate to disclose large language model training in privacy notices, California’s automated decision opt-out, and Texas’s AI governance act all point the same direction: if a model touches personal data, that processing is now a privacy obligation, not just an engineering decision.
The through-line across every one of these changes is governance. You cannot protect data you have not inventoried, cannot honor rights you cannot route, and cannot prove compliance you have not documented. The states have made privacy a data-management problem, which means the enterprises that already run disciplined data governance are the ones that will spend 2026 adapting instead of scrambling.
Work With EWSolutions
EWSolutions builds that baseline for US data leaders: one governance program engineered to absorb fifty jurisdictions, reduce redundant compliance obligations, and give the board a defensible answer on privacy risk. There are three ways to start.
Book a compliance consultation. Bring your current state footprint and we will map your highest-probability enforcement exposure in a single working session. Request an Executive Briefing with David Marco, PhD. A board-ready walkthrough of the 2026 changes, the enforcement trend, and what your organization must document before the next state law takes effect.