Skip to main content

February 20, 2026

20 states now have data privacy laws — and Congress still hasn't acted

Harvard Journal of Law and Technology
UC Berkeley Center for Long-Term Cybersecurity
Wikipedia
Future of Privacy Forum
IAPP
+14

Your privacy rights depend on which state you live in

Twenty states enforce comprehensive consumer data privacy laws as of January 2026. The full list: California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Texas, Oregon, Delaware, New Hampshire, New Jersey, Nebraska, Minnesota, Maryland, Kentucky, Rhode Island, and Florida. Indiana's Consumer Data Protection Act, Kentucky's Consumer Data Protection Act, and Rhode Island's Data Transparency and Privacy Protection Act all took effect January 1, 2026.

These state laws typically give consumers five core rights: access (see what companies collected), deletion (make companies erase it), correction (fix inaccurate data), portability (get a copy of your data), and opt-out (stop companies from selling your data). But the details vary widely — Rhode Island's law covers businesses processing data on just 35,000 residents, while Indiana and Kentucky set the threshold at 100,000 consumers.

Enforcement falls to state attorneys general, not individual consumers, in most states. Penalties range from $7,500 per violation in Indiana and Kentucky to $10,000 per violation in Rhode Island. Indiana and Kentucky give companies 30 days to fix violations before enforcement; Rhode Island offers no cure period. Only California gives consumers a limited private right of action for data breaches.

Virginia Senator Schuyler VanValkenburg pushed SB 85 through the state Senate 40-0 on February 10, 2026. The bill requires social media platforms and AI model operators to build interoperability interfaces so users can transfer their data to competing services. NetChoice, a tech industry group representing Meta and Google, testified against the bill, arguing forced interoperability creates security vulnerabilities.

Congress came closest to passing a federal privacy law in 2022, when the American Data Privacy and Protection Act cleared the House Energy and Commerce Committee 53-2. Representatives Frank PalloneFrank Pallone (D-NJ) and Cathy McMorris Rodgers (R-WA) co-authored the bipartisan bill. But House Speaker Nancy PelosiNancy Pelosi never brought it to a floor vote — reportedly to protect California's stronger protections from federal preemption.

Senate Commerce Committee Chair Maria Cantwell blocked the ADPPA from the Senate side because she wanted stronger enforcement and a broader private right of action. In 2024, she co-authored the American Privacy Rights Act with Senator Ted Cruz, but that bill also stalled. The United States remains one of the only major democracies without a comprehensive federal data privacy law.

Without a federal law, Americans' privacy protections depend on their zip code. A California resident can demand deletion of their personal data and sue if a breach exposes it. An Alabama resident has almost no legal tools. The European Union's GDPR, by comparison, covers all 450 million EU residents under one standard, with fines up to 4% of global revenue.

🔒Digital RightsCivil Rights🏛️Government📜Constitutional Law🤖AI Governance

People, bills, and sources

Schuyler VanValkenburg

Virginia State Senator (D-District 16)

Frank Pallone

Frank Pallone

Former Chair, House Energy and Commerce Committee (D-NJ)

Maria Cantwell

Former Chair, Senate Commerce Committee (D-WA)

Nancy Pelosi

Nancy Pelosi

Former House Speaker (D-CA)

Andrew Ferguson

FTC Chairman (appointed by President Trump, 2025)

Daniel Zolnikov

Montana State Senator (R)

What you can do

1

civic action

Look up your state's privacy rights and exercise them

The IAPP maintains a real-time tracker of state privacy laws. Look up whether your state has a law, what rights it gives you, and how to submit data access or deletion requests to companies. If your state has a law, you can typically find opt-out links in company privacy policies.

2

civic action

Contact your members of Congress to push for a federal privacy law

Congress has failed to pass a federal privacy law despite repeated bipartisan attempts. Your representative can co-sponsor or push for new federal privacy legislation that gives all Americans consistent protections regardless of their zip code.

I'm calling to ask you to support comprehensive federal data privacy legislation. Right now, my privacy rights depend on which state I live in — 30 states still have no comprehensive privacy law. The American Data Privacy and Protection Act had bipartisan support in 2022 but never got a floor vote. I want a federal law with real enforcement and the right for consumers to sue companies that violate it.

3

civic action

File a complaint with your state attorney general if a company violates your rights

In all 20 states with privacy laws, the attorney general enforces the law. If a company ignores your data access or deletion request, you can file a complaint. These complaints help AGs identify patterns and build enforcement cases — Texas filed the first active lawsuit under a state comprehensive privacy law in January 2025, against Allstate's data broker subsidiaries.