20 states now have data privacy laws — and Congress still hasn't acted

Twenty states enforce comprehensive consumer data privacy laws as of January 2026. The full list: 🌴California, 🏛️Virginia, 🏔️Colorado, 🦞Connecticut, 🏜️Utah, 🌽Iowa, 🏎️Indiana, 🎸Tennessee, 🦌Montana, 🤠Texas, 🌲Oregon, 🐔Delaware, 🍁New Hampshire, 🏖️New Jersey, 🌽Nebraska, 🦆Minnesota, 🦀Maryland, 🐴Kentucky, ⚓Rhode Island, and 🌴Florida. Indiana's Consumer Data Protection Act, Kentucky's Consumer Data Protection Act, and Rhode Island's Data Transparency and Privacy Protection Act all took effect January 1, 2026.

These state laws typically give consumers five core rights: access (see what companies collected), deletion (make companies erase it), correction (fix inaccurate data), portability (get a copy of your data), and opt-out (stop companies from selling your data). But the details vary widely — ⚓Rhode Island's law covers businesses processing data on just 35,000 residents, while 🏎️Indiana and 🐴Kentucky set the threshold at 100,000 consumers.

Enforcement falls to state attorneys general, not individual consumers, in most states. Penalties range from $7,500 per violation in 🏎️Indiana and 🐴Kentucky to $10,000 per violation in ⚓Rhode Island. Indiana and Kentucky give companies 30 days to fix violations before enforcement; Rhode Island offers no cure period. Only 🌴California gives consumers a limited private right of action for data breaches.

🏛️Virginia Senator SVSchuyler VanValkenburg pushed SB 85 through the state Senate 40-0 on February 10, 2026. The bill requires social media platforms and AI model operators to build interoperability interfaces so users can transfer their data to competing services. NetChoice, a tech industry group representing Meta and Google, testified against the bill, arguing forced interoperability creates security vulnerabilities.

Congress came closest to passing a federal privacy law in 2022, when the American Data Privacy and Protection Act cleared the House Energy and Commerce Committee 53-2. Representatives Frank Pallone (D-NJ) and Cathy McMorris Rodgers (R-WA) co-authored the bipartisan bill. But House Speaker Nancy Pelosi never brought it to a floor vote — reportedly to protect 🌴California's stronger protections from federal preemption.

Senate Commerce Committee Chair MCMaria Cantwell blocked the ADPPA from the Senate side because she wanted stronger enforcement and a broader private right of action. In 2024, she co-authored the American Privacy Rights Act with Senator Ted Cruz, but that bill also stalled. The United States remains one of the only major democracies without a comprehensive federal data privacy law.

Without a federal law, Americans' privacy protections depend on their zip code. A 🌴California resident can demand deletion of their personal data and sue if a breach exposes it. An 🏈Alabama resident has almost no legal tools. The European Union's GDPR, by comparison, covers all 450 million EU residents under one standard, with fines up to 4% of global revenue.