February 20, 2026
20 states now have data privacy laws as Congress still fails to act on privacy protections
Your privacy rights depend on which state you live in
🔒Digital Rights✊Civil Rights🏛️Government📜Constitutional Law🤖AI Governance
Twenty states enforce comprehensive consumer data privacy laws as of January 2026. The full list: California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Texas, Oregon, Delaware, New Hampshire, New Jersey, Nebraska, Minnesota, Maryland, Kentucky, Rhode Island, and Florida. Indiana's Consumer Data Protection Act, Kentucky's Consumer Data Protection Act, and Rhode Island's Data Transparency and Privacy Protection Act all took effect January 1, 2026.
These state laws typically give consumers five core rights: access (see what companies collected), deletion (make companies erase it), correction (fix inaccurate data), portability (get a copy of your data), and opt-out (stop companies from selling your data). But the details vary widely — Rhode Island's law covers businesses processing data on just 35,000 residents, while Indiana and Kentucky set the threshold at 100,000 consumers.
Enforcement falls to state attorneys general, not individual consumers, in most states
Penalties range from $7,500 per violation in Indiana and Kentucky to $10,000 per violation in Rhode Island
Indiana and Kentucky give companies 30 days to fix violations before enforcement; Rhode Island offers no cure period Only California gives consumers a limited private right of action for data breaches.
Virginia Senator Schuyler VanValkenburg pushed SB 85 through the state Senate 40-0 on February 10, 2026. The bill requires social media platforms and AI model operators to build interoperability interfaces so users can transfer their data to competing services. NetChoice, a tech industry group representing Meta and Google, testified against the bill, arguing forced interoperability creates security vulnerabilities.
Congress came closest to passing a federal privacy law in 2022, when the American Data Privacy and Protection Act cleared the House Energy and Commerce Committee 53-2. Representatives 
Frank Pallone (D-NJ) and Cathy McMorris Rodgers (R-WA) co-authored the bipartisan bill. But House Speaker 
Nancy Pelosi never brought it to a floor vote — reportedly to protect California's stronger protections from federal preemption.
Senate Commerce Committee Chair Maria Cantwell blocked the ADPPA from the Senate side because she wanted stronger enforcement and a broader private right of action. In 2024, she co-authored the American Privacy Rights Act with Senator Ted Cruz, but that bill also stalled. The United States remains one of the only major democracies without a comprehensive federal data privacy law.
Without a federal law, Americans' privacy protections depend on their zip code
A California resident can demand deletion of their personal data and sue if a breach exposes it
An Alabama resident has almost no legal tools The European Union's GDPR, by comparison, covers all 450 million EU residents under one standard, with fines up to 4% of global revenue.
🔒Digital Rights✊Civil Rights🏛️Government📜Constitutional Law🤖AI Governance
People, bills, and sources
Schuyler VanValkenburg
Virginia State Senator (D-District 16)
Frank Pallone
Former Chair, House Energy and Commerce Committee (D-NJ)
Maria Cantwell
Former Chair, Senate Commerce Committee (D-WA)
Nancy Pelosi
Former House Speaker (D-CA)
Andrew Ferguson
FTC Chairman (appointed by President Trump, 2025)
Daniel Zolnikov
Montana State Senator (R)
What you can do
1
civic action
Demand federal privacy legislation from your congressional representatives
Nineteen states have passed comprehensive privacy laws while Congress has failed twice to establish national privacy standards. Without federal legislation, Americans face a patchwork of different rights depending on where they live, and companies must navigate 19 different state regulatory systems. Federal privacy law would provide consistent protections nationwide and reduce compliance costs for businesses.
Hello, I am [NAME], a constituent from [CITY/STATE]. I am calling to urge Representative [NAME] to support comprehensive federal privacy legislation.
Key concerns:
- Nineteen states now have comprehensive privacy laws, creating a patchwork of different rights
- Congress failed to pass the American Data Privacy and Protection Act in 2022 and 2024
- The House Energy and Commerce Committee passed federal privacy bills but Senate blocked them
- Without federal law, companies face 19 different state compliance systems
Questions to ask:
- Will Representative [NAME] co-sponsor federal privacy legislation in the current Congress?
- What specific privacy protections does the representative support for constituents?
- How will the representative work to break the Senate deadlock on privacy bills?
Specific request: I urge you to support comprehensive federal privacy legislation that provides consistent protections for all Americans and reduces the regulatory burden on businesses.
Question: What is your position on establishing national privacy standards that preempt state laws?
Thank you for your time.
2
civic action
Contact your members of Congress to push for a federal privacy law
Congress has failed to pass a federal privacy law despite repeated bipartisan attempts. Your representative can co-sponsor or push for new federal privacy legislation that gives all Americans consistent protections regardless of their zip code.
I'm calling to ask you to support comprehensive federal data privacy legislation. Right now, my privacy rights depend on which state I live in — 30 states still have no comprehensive privacy law. The American Data Privacy and Protection Act had bipartisan support in 2022 but never got a floor vote. I want a federal law with real enforcement and the right for consumers to sue companies that violate it.
3
civic action
File a complaint with your state attorney general if a company violates your rights
In all 20 states with privacy laws, the attorney general enforces the law. If a company ignores your data access or deletion request, you can file a complaint. These complaints help AGs identify patterns and build enforcement cases — Texas filed the first active lawsuit under a state comprehensive privacy law in January 2025, against Allstate's data broker subsidiaries.