Back to Blog
Legal Basics

State Privacy Laws in 2026: A Complete Guide for Businesses and Consumers

Twenty states now have comprehensive privacy laws. Learn what changed in 2026, who is affected, and how to ensure compliance with new data protection regulations.

February 19, 2026
MyLawyerLink Team
Privacy Law Data Protection Compliance Business Law

Twenty states now have comprehensive data privacy laws on the books. Three more—Indiana, Kentucky, and Rhode Island—went into effect January 1, 2026, and several existing laws were amended in ways that matter for compliance. If your business handles personal data or you want to understand your rights as a consumer, here’s what you need to know.

State Privacy Laws Effective in 2026

The patchwork of state privacy laws keeps growing. The table below summarizes which states have comprehensive privacy laws and key 2026 effective dates.

State Law / regime Key 2026 effective date Notes
Indiana Indiana CDPA January 1, 2026 New comprehensive law
Kentucky Kentucky CPA January 1, 2026 New comprehensive law
Rhode Island Rhode Island DPA January 1, 2026 New comprehensive law
Connecticut Connecticut CTDPA July 1, 2026 Significant amendments take effect
Arkansas Arkansas ADPA July 1, 2026 Law takes effect
Utah Utah UCPA July 1, 2026 Amendments take effect
California CCPA / CPRA August 1, 2026 New data broker registration requirements
Others Various state laws Already in effect e.g., California, Virginia, Colorado, etc.

California, Virginia, Colorado, Connecticut, Utah, and others had laws in effect before 2026. The 2026 wave adds three new states and tightens several existing regimes.

What Changed in 2026: Trends That Affect You

New state laws (January 1, 2026)

Indiana, Kentucky, and Rhode Island joined the group of states with comprehensive privacy laws. Each gives consumers rights to know, access, correct, delete, and port personal data, and to opt out of certain sales and targeted advertising. Businesses that meet each state’s applicability thresholds (typically based on revenue or volume of data processed) must comply.

Amendments to existing laws

Several states have updated their laws in important ways:

  • Elimination of cure periods: Some states no longer allow a formal “cure” period before enforcement. Regulators can enforce immediately when they find violations, so getting your practices right in advance matters more.
  • Lower applicability thresholds: In some states, smaller businesses are now in scope. If you previously assumed you were exempt, recheck the current thresholds for each state where you have customers or process data.

Connecticut, Arkansas, and Utah (July 1, 2026)

Connecticut’s and Utah’s amended provisions, and Arkansas’s new law, take effect July 1, 2026. That includes updated requirements and rights, so businesses should review notice, consent, and response procedures for those states.

California data broker registration (August 1, 2026)

California is adding new data broker registration requirements effective August 1, 2026. If your business qualifies as a “data broker” under California law (e.g., selling or sharing personal information you did not collect directly from the consumer), you’ll need to register and meet the new obligations by that date.

What Businesses Must Do to Comply

Compliance with state privacy laws is not one-size-fits-all, but these steps apply across most regimes:

1. Determine where you’re in scope

Check applicability for each state where you have users or process data. Criteria usually include:

  • Revenue or transaction volume
  • Number of state residents whose data you process
  • Whether you sell personal data or use it for targeted advertising

2. Publish a clear privacy notice

Your privacy policy should explain:

  • What personal data you collect and why
  • How long you keep it
  • Who you share it with (including “sales” and “targeted advertising” where those terms apply)
  • How consumers can exercise their rights

3. Honor consumer rights

Under most state laws, you must support:

  • Right to know what personal data you have
  • Right to access that data
  • Right to correct inaccuracies
  • Right to delete (with certain exceptions)
  • Right to data portability in a usable format
  • Right to opt out of sale of personal data and (in many states) targeted advertising or profiling

You typically have 45 days to respond, with limited extensions. Implement a process to receive, verify, and fulfill requests.

4. Use contracts with processors and third parties

If vendors process personal data on your behalf, ensure contracts require them to assist with security, breach notification, and responding to consumer rights requests.

5. Recheck cure periods and thresholds

With cure periods gone or narrowed in some states and thresholds lowered, reassess your exposure. Update compliance checklists and, if needed, get advice from a privacy or regulatory attorney.

What Rights Consumers Have Now

If you live in a state with a comprehensive privacy law, you generally have the following rights with respect to businesses that are covered:

  • Know what personal information a business collects and how it’s used
  • Access your personal information
  • Correct inaccurate personal information
  • Delete your personal information (subject to legal exceptions)
  • Obtain a copy of your data in a portable format
  • Opt out of sale of your personal information (and in many states, opt out of targeted advertising or certain profiling)
  • Non-discrimination for exercising these rights (businesses can’t charge more or provide a worse service just because you asked to delete or opt out)

Rights and exceptions vary by state. Businesses must provide a clear way to submit requests (e.g., web form, link, or email) and respond within the timeframes set by each law.

Practical Takeaways

For businesses (including law firms):

  • Map which states’ laws apply to you and mark 2026 dates: Jan 1 (IN, KY, RI), Jul 1 (CT, AR, UT), Aug 1 (CA data broker).
  • Update your privacy notice and internal procedures for new and amended laws; assume no or short cure periods where they’ve been removed.
  • Put in place (or refine) a process for receiving and responding to access, correction, deletion, and opt-out requests.
  • If you might qualify as a data broker in California, plan for registration and related obligations by August 1, 2026.
  • Consider a focused review with a lawyer who specializes in privacy and compliance, especially if you hold sensitive client or employee data.

For individuals:

  • Use your state’s rights: look for “Do Not Sell or Share My Personal Information,” “Privacy Rights,” or similar links in privacy policies and on company websites.
  • Submit requests in writing (via the business’s designated method) and keep a record of what you asked for and when.
  • If a business doesn’t respond or you believe your rights were violated, you can report to your state attorney general or consumer protection agency; some laws also allow a private right of action in limited situations.

State privacy laws in 2026 create both obligations for businesses and real leverage for consumers. Whether you’re a business owner ensuring compliance or an individual asserting your rights, staying informed and taking action pays off.

Need help with privacy compliance or asserting your rights? Find a privacy or data protection lawyer on MyLawyerLink—or if you’re an attorney who specializes in privacy and compliance, sign up for MyLawyerLink to connect with clients who need exactly that expertise.

This article is for informational purposes only and does not constitute legal advice. Requirements and effective dates can change. Consult a qualified attorney for advice specific to your situation and jurisdiction.