Key Takeaways
- 20+ US states have enacted comprehensive privacy laws as of 2026
- Most state laws follow an opt-out model (unlike GDPR opt-in), but requirements vary significantly
- Global Privacy Control (GPC) is legally required in 12 states (CA, CO, CT, DE, MD, MN, MT, NE, NH, NJ, OR, TX) as of 2026
- Universal opt-out mechanisms are becoming the standard, with more states adding GPC requirements each year
- A single website serving all 50 states needs to handle different consent rules per visitor location
The US Privacy Landscape: No Federal Law, 20+ State Laws
Congress has debated federal privacy legislation for years. The ADPPA passed a House committee in 2022 before stalling. The APRA was introduced in 2024 and met the same fate. As of March 2026, no federal bill has passed.
The sticking point is preemption: California wants to keep its stronger protections, industry wants a single standard. Until they agree, the patchwork grows.
For developers, three practical consequences:
- You cannot build one consent experience and call it done. Different states mean different rights, different GPC requirements, different consent models.
- You need geo-detection. Your site must determine visitor location and apply the correct model automatically.
- The surface area keeps expanding. Every legislative session, new states pass laws. Your implementation must be adaptable.
The Three Consent Models
Opt-Out (most common). Businesses collect and process data by default. Consumers opt out of sales, targeted advertising, and profiling. Analytics and marketing scripts run by default, but you must honor opt-out requests and universal opt-out mechanisms like GPC.
Opt-In for Sensitive Data. Most states require affirmative consent before processing sensitive data (health, biometric, precise geolocation, children's data). This creates a hybrid: opt-out for standard data, opt-in for sensitive data.
Notice-Only. Utah uses a more permissive model. Provide notice of data practices, but consent requirements are lighter.
See how ConsentStack handles geo-detection
State-by-State Comparison
| State | Law | Effective | Consent Model | GPC Required | Key Unique Provisions |
|---|---|---|---|---|---|
| California | CCPA/CPRA | 2020/2023 | Opt-out (opt-in for minors <16) | Yes | Broadest scope. Private right of action. CPPA enforcement. "Do Not Sell or Share" link. |
| Virginia | VCDPA | Jan 2023 | Opt-out | No | AG only. Narrow "sale" definition (monetary). |
| Colorado | CPA | Jul 2023 | Opt-out (opt-in sensitive) | Yes | First besides CA to mandate universal opt-out. Biennial assessments. |
| Connecticut | CTDPA | Jul 2023 | Opt-out (opt-in sensitive) | Yes | Covers nonprofits. Health data is sensitive. Broad "sale" definition. |
| Utah | UCPA | Dec 2023 | Notice-only / Opt-out | No | Most business-friendly. $25M revenue threshold. No opt-in for sensitive data. |
| Texas | TDPSA | Jul 2024 | Opt-out (opt-in sensitive) | Yes | No revenue threshold. Applies to any entity in Texas. |
| Oregon | OCPA | Jul 2024 | Opt-out (opt-in sensitive) | Yes | Covers nonprofits. Transgender/nonbinary data is sensitive. |
| Montana | MCDPA | Oct 2024 | Opt-out (opt-in sensitive) | Yes | Low threshold (50,000 consumers). |
| Delaware | DPDPA | Jan 2025 | Opt-out (opt-in sensitive) | Yes | Covers nonprofits. Low threshold (35,000 consumers). |
| Iowa | ICDPA | Jan 2025 | Opt-out | No | Narrowest scope. 90-day cure period. No opt-in for sensitive data. |
| New Hampshire | NH SB 255 | Jan 2025 | Opt-out (opt-in sensitive) | Yes | Close to Connecticut model. |
| New Jersey | NJ SB 332 | Jan 2025 | Opt-out (opt-in sensitive) | Yes | Financial data is sensitive. No cure period. |
| Tennessee | TIPA | Jul 2025 | Opt-out (opt-in sensitive) | No | Affirmative defense for NIST-aligned privacy programs. |
| Minnesota | MNCDPA | Jul 2025 | Opt-out (opt-in sensitive) | Yes | Right to question automated decisions. Data inventories required. |
| Maryland | MODPA | Oct 2025 | Opt-out (opt-in sensitive) | Yes | Stricter data minimization. One of the more restrictive laws. |
| Indiana | ICDPA | Jan 2026 | Opt-out (opt-in sensitive) | No | Virginia model. |
| Kentucky | KCDPA | Jan 2026 | Opt-out (opt-in sensitive) | No | Virginia/Connecticut hybrid. |
| Nebraska | NDPA | Jan 2025 | Opt-out (opt-in sensitive) | Yes | No revenue or volume threshold. |
| Rhode Island | RIDPA | Jan 2026 | Opt-out (opt-in sensitive) | No | Transparency reports required. |
| Florida | FDBR | Jul 2024 | Opt-out (opt-in sensitive) | No | Narrow applicability ($1B revenue threshold). Strongest base penalties ($50,000+). |
Coming soon: Vermont (Jul 2026, includes private right of action), Wisconsin (Jan 2026), Michigan and Pennsylvania (pending).
Where States Diverge: Key Provisions
Sale of Personal Data
Narrow definition (monetary only): Virginia, Utah, Iowa, Indiana. Sharing data with an ad platform for free may not qualify as a "sale."
Broad definition (includes non-monetary exchange): California, Colorado, Connecticut, Texas, Oregon, Delaware, New Jersey, Maryland. Sharing data with an ad platform in exchange for ad services qualifies.
The safest approach: treat any data sharing with third-party advertising platforms as a potential "sale" and provide opt-out universally.
Sensitive Data
Nearly every state treats sensitive data differently, requiring opt-in consent. Universal categories include: racial/ethnic origin, religious beliefs, health data, sexual orientation, genetic/biometric data, and children's data.
State-specific additions: California adds SSN, financial accounts, precise geolocation, and mail/message contents. Oregon adds transgender/nonbinary status. Connecticut, Colorado, and Texas add precise geolocation (within 1,750 feet). New Jersey adds financial data. Maryland restricts sensitive data processing to what is strictly necessary.
If your app collects any of these, you need opt-in consent, and the categories depend on the visitor's state.
Children's Data
All states defer to COPPA for under-13. California requires opt-in for under-16 for sale/sharing. Most other states classify children's data as sensitive requiring opt-in. If your site has users under 16, California imposes the strictest requirements.
Global Privacy Control: Which States Require It
As of 2026, these states legally require businesses to honor GPC: California, Colorado, Connecticut, Delaware, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, and Texas.
When GPC is detected from a visitor in a requiring state:
- Suppress sale/sharing of personal data immediately
- Block targeted advertising scripts
- Do not require additional confirmation
- Apply the opt-out with no processing delay
The complexity grows with the number of requiring states. You need to detect the signal, determine visitor location, check state requirements, and apply the response. A CMP that handles geo routing and per-state opt-out flows eliminates most of this burden. ConsentStack maps state-by-state opt-out and sensitive-data behavior across the supported US states, detects GPC server-side via the geo-proxy and client-side via navigator.globalPrivacyControl, and honors the signal by default in the 12 requiring states.
See the ConsentStack compliance engine | Google Consent Mode v2 setup guide
Geo-Detection: The Core Engineering Problem
With 20+ states imposing different requirements, geo routing is not optional. Without it, you either apply California's strictest requirements to everyone (legally safe but operationally burdensome) or apply the weakest and hope for the best (not defensible).
How It Works
CDN-level headers (best approach). Cloudflare provides CF-IPCountry and CF-Region. AWS CloudFront and Fastly offer similar headers. State-level accuracy is 95%+ for US visitors.
IP geolocation databases. MaxMind GeoIP for server-side lookup.
User self-selection (fallback only). A dropdown asking visitors to confirm their state. Not recommended as the sole method.
The implementation flow: visitor arrives, CDN determines state, consent logic maps state to applicable law, correct experience renders, GPC is checked, preferences are stored.
ConsentStack uses global compliance routing across 20+ US states, mapping each visitor's jurisdiction to the right consent model. When new state laws take effect, the mapping updates on ConsentStack's side. No code changes on your end.
See how ConsentStack handles geo-detection | CCPA cookie consent guide | GDPR cookie consent guide
Practical Implementation Strategies
Strategy 1: Use a CMP with US State Support (Recommended)
| Feature | Why It Matters | Red Flag |
|---|---|---|
| US states supported | More = less manual work | "CCPA and VCDPA only" |
| GPC support | 12 states require it | "Coming soon" or unspecified |
| Geo-detection granularity | Must detect at state level | Country-level only |
| Script blocking | Opt-out must stop data sharing | Banner-only, no enforcement |
| Update frequency | Laws change constantly | Last updated 2024 |
ConsentStack covers 195+ regulations including 20+ US state laws on every tier, including free. See features | Best consent management platforms compared
Strategy 2: Build Your Own
Requires: state detection service, consent model engine mapping 20+ states, GPC handler, opt-out UI, script blocking, consent storage, and ongoing maintenance. A senior developer spending 4-6 weeks on initial build plus monthly maintenance costs far more than $29/site/month. Build custom only if no CMP meets your needs.
Strategy 3: Apply California Rules Universally
Treat every US visitor as California. Single implementation, no geo-detection needed, always compliant with the strictest standard. Tradeoffs: over-compliance for weaker states, California-specific language may confuse visitors, and some states have unique provisions California does not cover (Oregon's transgender protections, Tennessee's NIST defense). Works for smaller teams willing to accept the tradeoffs.
Frequently Asked Questions
**20 states** have enacted comprehensive privacy laws in effect or taking effect during 2026 (California, Virginia, Colorado, Connecticut, Utah, Texas, Florida, Oregon, Montana, Delaware, Iowa, New Hampshire, New Jersey, Tennessee, Minnesota, Maryland, Indiana, Kentucky, Nebraska, Rhode Island). The number is expected to exceed 25 by 2028.
Not for most data. The majority use an **opt-out model**. However, nearly every state requires **opt-in for sensitive data** (health, biometric, geolocation, children's data). Utah is the exception, requiring only notice for sensitive data.
GPC is a browser signal that communicates opt-out preference. **12 states** legally require honoring it as of 2026: California, Colorado, Connecticut, Delaware, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, and Texas. Sephora was fined **$1.2 million** in part for failing to process GPC. The trend is toward more states requiring it.
Yes, and it is a valid simplification. California has the most comprehensive requirements, so universal application generally satisfies other states. Tradeoff: over-compliance in weaker states, and some states have unique provisions California does not address.
AG investigations, civil penalties ($2,500-$7,500 per violation in California, per consumer), injunctive relief, and reputational damage. Several states are sunsetting cure periods. California and Vermont include private rights of action.
No. Use a single adaptive consent experience that adjusts based on geo routing. The same framework renders with appropriate controls per state. ConsentStack handles this with one script tag across all supported US states.
Conclusion
US state privacy laws are accelerating. From one law in 2020 to 20+ in 2026. Geo routing, consent model mapping, GPC support, and ongoing maintenance across growing jurisdictions make hardcoding state-specific logic unsustainable.
ConsentStack handles it all. Global compliance routing across 20+ US states, automatically applying the correct consent model. Opt-out mechanisms and sensitive-data flows are configured through the dashboard. When new laws take effect, the mappings update automatically. GPC signals are detected and honored by default in the 12 states that require it.
One script tag. Lightweight SDK. Every US state privacy law covered. From $0/month.