20 states now have data privacy laws as Congress still fails to act on privacy protections
Your privacy rights depend on which state you live in
Twenty states enforce comprehensive consumer data privacy laws as of January 2026. The full list: California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Texas, Oregon, Delaware, New Hampshire, New Jersey, Nebraska, Minnesota, Maryland, Kentucky, Rhode Island, and Florida. Indiana's Consumer Data Protection Act, Kentucky's Consumer Data Protection Act, and Rhode Island's Data Transparency and Privacy Protection Act all took effect January 1, 2026.
Key Concepts
Essential concepts and terms to understand this topic
Federalism and State Power
The constitutional system that divides power between national and state governments, determining who controls immigration, healthcare, voting, and other major policies.
Federal vs. State Regulation
The tension between having one national standard for laws versus letting each state set its own rules.
Data Brokers
Companies that collect personal information from public records, online activity, and commercial transactions, then sell detailed profiles of individuals to businesses, governments, and anyone who pays.
Privacy Act of 1974
A federal law restricting how the government can collect, use, and share personal information about Americans.
Digital Privacy
Fourth Amendment protection requiring warrants before police search digital devices containing personal data.
Consumer Rights
Legal protections that give people control over how businesses collect, use, and sell their personal information and products.
Key People
6
Schuyler VanValkenburg
Virginia State Senator (D-District 16)
VanValkenburg sponsored SB 85, which passed the Virginia Senate 40-0 on February 10, 2026. The bill requires social media platforms and AI model operators to provide interoperability interfaces so users can move their data to competing services β a direct challenge to the lock-in strategies of Facebook and Google.
Frank Pallone
Former Chair, House Energy and Commerce Committee (D-NJ)
Pallone co-authored the American Data Privacy and Protection Act in 2022 with Republican Cathy McMorris Rodgers. The ADPPA passed committee 53-2, the first federal privacy bill to clear that hurdle β but House Speaker Pelosi never called a floor vote, and the bill died when the 117th Congress adjourned January 2023.
Maria Cantwell
Former Chair, Senate Commerce Committee (D-WA)
Cantwell controlled whether any federal privacy bill reached the Senate floor and blocked the ADPPA because she wanted stronger enforcement and a broader private right of action. In 2024, she co-authored the American Privacy Rights Act with Senator Ted Cruz β but that bill also stalled before the session ended.
Nancy Pelosi
Former House Speaker (D-CA)
Pelosi declined to schedule the ADPPA for a floor vote in 2022, reportedly to protect California's stronger privacy law from federal preemption. California's CCPA/CPRA gives residents significantly broader rights than the proposed federal standard, and Pelosi prioritized protecting those rights over creating a national baseline.
AF
Andrew Ferguson
FTC Chairman (appointed by President Trump, 2025)
Ferguson replaced Lina Khan as FTC chair in 2025 and shifted the agency toward traditional enforcement rather than new rulemaking. Without a federal privacy law, the FTC remains the main federal enforcer using its general authority under Section 5 of the FTC Act. Ferguson has focused on children's privacy and data security.
DZ
Daniel Zolnikov
Montana State Senator (R)
Zolnikov championed Montana's consumer data privacy act and returned in 2025 with SB 297 to strengthen it β lowering the applicability threshold to 25,000 consumers and removing the right to cure violations before enforcement. His bipartisan approach shows privacy legislation crossing party lines at the state level.
Claims & Perspectives
True
True
Twenty states have comprehensive consumer data privacy laws in effect as of January 2026.
Indiana's Consumer Data Protection Act, Kentucky's Consumer Data Protection Act, and Rhode Island's Data Transparency and Privacy Protection Act all took effect January 1, 2026, bringing the total to 20 states. Confirmed by IAPP, Koley Jessen, and MultiState.
True
Congress has never passed a comprehensive federal data privacy law.
The ADPPA passed committee 53-2 in 2022 but never received a floor vote. No comprehensive federal privacy law has ever been enacted. The U.S. is one of the only major democracies without one.
True
Virginia's SB 85 passed the state Senate unanimously 40-0 on February 10, 2026.
LegiScan confirms SB 85 passed the Virginia Senate 40-0 and was referred to the House Committee on Communications, Technology and Innovation as of February 13, 2026.
True
The EU's GDPR fines companies up to 4% of global annual revenue for violations.
GDPR Article 83 sets maximum fines at β¬20 million or 4% of total worldwide annual turnover, whichever is higher. This is significantly stronger than any U.S. state law.
What you can do
Demand federal privacy legislation from your congressional representatives
civic action
Nineteen states have passed comprehensive privacy laws while Congress has failed twice to establish national privacy standards. Without federal legislation, Americans face a patchwork of different rights depending on where they live, and companies must navigate 19 different state regulatory systems. Federal privacy law would provide consistent protections nationwide and reduce compliance costs for businesses.
Contact your members of Congress to push for a federal privacy law
civic action
Congress has failed to pass a federal privacy law despite repeated bipartisan attempts. Your representative can co-sponsor or push for new federal privacy legislation that gives all Americans consistent protections regardless of their zip code.
File a complaint with your state attorney general if a company violates your rights
civic action
In all 20 states with privacy laws, the attorney general enforces the law. If a company ignores your data access or deletion request, you can file a complaint. These complaints help AGs identify patterns and build enforcement cases β Texas filed the first active lawsuit under a state comprehensive privacy law in January 2025, against Allstate's data broker subsidiaries.