US State Privacy Laws

23 states, no federal law, and an expanding patchwork

Overview

As of June 2026, 23 US states have enacted comprehensive consumer privacy laws: Louisiana (SB 386, signed as Act 502 on May 29, 2026, effective January 1, 2027) is the most recent addition, following Oklahoma (SB 546, signed March 20, 2026) and Alabama (HB 351, signed April 17, 2026). Some tallies count one fewer by excluding Florida from the “comprehensive” group due to its $1B+ revenue threshold. The United States has no federal comprehensive privacy law (the American Privacy Rights Act was introduced in 2024 but failed to advance), leaving a growing patchwork of state-level legislation as the primary framework governing consumer data protection in the country.^[1]^[58]

The state privacy law landscape is dominated by the “Virginia model,” a template established by the Virginia Consumer Data Protection Act (VCDPA) in 2021 and subsequently adopted by 15 or more states. The model’s defining characteristics are: attorney general–only enforcement, no private right of action, opt-in consent for sensitive data processing, opt-out consent for general processing, and data protection assessment requirements for high-risk activities.^[2]

California’s framework differs significantly from the Virginia model adopted by most states. The CCPA/CPRA created the California Privacy Protection Agency (CPPA) – the first and only dedicated state privacy enforcement agency – alongside the broadest consumer rights, a limited private right of action for data breaches, and the most detailed implementing regulations of any state. For a comprehensive treatment of California’s framework, see the California page.

For federal privacy and surveillance laws, see the US Federal page.

Comparison Table: All 23 States

#	State	Law	Effective	Cure Period	Private Right of Action
1	California	CCPA/CPRA	Jan 2020 / Jan 2023	30 days (limited)	Yes (data breaches only)
2	Virginia	VCDPA	Jan 2023	30 days	No
3	Colorado	CPA	Jul 2023	Expired Jan 2025	No
4	Connecticut	CTDPA	Jul 2023	Expired Dec 2024	No
5	Utah	UCPA	Dec 2023	30 days	No
6	Iowa	ICDPA	Jan 2025	90 days	No
7	Indiana	ICDPA	Jan 2026	30 days (permanent)	No
8	Tennessee	TIPA	Jul 2025	60 days	No
9	Montana	MTCDPA	Oct 2024	Expired early 2025	No
10	Texas	TDPSA	Jul 2024	30 days	No
11	Oregon	OCPA	Jul 2024	30 days	No
12	Delaware	DPDPA	Jan 2025	60 days	No
13	Florida	FDBR	Jul 2024	45 days	No (limited for children)
14	New Hampshire	NHPA	Jan 2025	Expired Dec 2025	No
15	New Jersey	NJDPA	Jan 2025	30 days (18-month transition)	No
16	Kentucky	KCDPA	Jan 2026	30 days (permanent)	No
17	Maryland	MODPA	Oct 2025	None specified	No
18	Minnesota	MCDPA	Jul 2025	Expired Jan 2026	No
19	Nebraska	NDPA	Jan 2025	30 days (permanent)	No
20	Rhode Island	RIDTPPA	Jan 2026	None	No
21	Oklahoma	OCDPA (SB 546)	Jan 2027	30 days (sunsets)	No
22	Alabama	APDPA (HB 351)	May 2027	30 days	No
23	Louisiana	LDPA (SB 386 / Act 502)	Jan 2027	30 days (sunsets Jul 2027)	No

State-by-State Summaries

California – CCPA/CPRA

California’s framework is covered in detail on the California page. In brief: the CCPA (2018) as amended by the CPRA (2020) created the nation’s first dedicated privacy enforcement agency (CPPA) alongside the rights and protections described in the overview above. New regulations on automated decision-making, insurance data, and cybersecurity audits took effect January 1, 2026.^[3]

Beyond the comprehensive law: 4th Amendment / surveillance: CalECPA requires a warrant for electronic communications, metadata, and device data, the strongest state electronic-privacy statute; plus the Reader Privacy Act and CalOPPA. Data brokers: the DELETE Act and DROP one-stop deletion platform. AI: SB 243 companion-chatbot safeguards (in force Jan 1, 2026) and the CCPA ADMT regulations. Age verification: CAADCA (enjoined) and SB 976 social-media “addiction” law (core addictive-feeds and default-privacy provisions upheld by the Ninth Circuit in September 2025, taking effect in 2026); AB 1043 OS-level age assurance (effective Jan 1, 2027). No adult-content age-verification statute. Police surveillance tech: CalECPA requires a warrant for electronic communications, metadata, and device data (and covers cell-site simulators); ALPR data held by the Highway Patrol is capped at 60 days (SB 34), with pending limits on out-of-state/federal sharing. Proposed: AB 1883 (workplace surveillance tools), AB 1898 (workplace AI disclosure), plus CIPA, data-broker, precise-geolocation, and ~10 AI bills.^[52]^[53]^[47]^[38]^[49]

Virginia – VCDPA

The Virginia Consumer Data Protection Act, signed March 2, 2021 and effective January 1, 2023, was the second comprehensive state privacy law and established the template that most subsequent states followed. Enforced exclusively by the Virginia Attorney General with a 30-day cure period. Applies to entities processing data of 100,000+ consumers or 25,000+ consumers where 50%+ of revenue comes from data sales. Standard consumer rights (access, correct, delete, portability, opt-out of sale/targeted advertising/profiling) with opt-in required for sensitive data.^[4] In April 2026, the legislature enacted SB 338, prohibiting controllers from selling or offering for sale precise geolocation data.^[43]

Beyond the comprehensive law: Adult-content age verification: Virginia requires age verification for sites with a substantial portion of material harmful to minors (in force), though a 2026 age-assurance enforcement/rulemaking effort was temporarily blocked on First Amendment grounds. Social media: SB 854 imposes a default one-hour-per-day social-media limit for users under 16 absent parental consent (effective January 1, 2026 but preliminarily enjoined February 27, 2026 in NetChoice v. Jones; Virginia has appealed). No standalone app-store or VPN statute. Police surveillance tech: Virginia restricts police facial recognition via a warrant-audit-reporting law effective July 1, 2026, and requires warrants for drone surveillance and cell-site simulators.^[50]^[51]^[54]^[55]

Colorado – CPA

The Colorado Privacy Act, signed July 7, 2021 and effective July 1, 2023, was the third comprehensive state privacy law. Colorado was one of the first states to require recognition of universal opt-out mechanisms (effective July 1, 2024). The cure period expired January 1, 2025, giving the AG immediate enforcement discretion. Children’s protection amendments expanding under SB 24-041 take effect July 1, 2026. Enforced by the Colorado Attorney General and District Attorneys.^[5]

Beyond the comprehensive law: AI: the Colorado Artificial Intelligence Act (SB 24-205), the first US comprehensive AI law, regulates “high-risk” AI systems and algorithmic discrimination with developer/deployer duties; its effective date was pushed to June 30, 2026. No adult-content age-verification, social-media, app-store, or VPN statute; minors’ protections run through the CPA amendments. Police surveillance tech: Colorado is among the seven states with the strongest limits on police facial recognition.^[49]^[54]

Connecticut – CTDPA

The Connecticut Data Privacy Act, signed May 10, 2022 and effective July 1, 2023, is among the more consumer-friendly state laws due to its absence of a revenue threshold. Required honoring universal opt-out preference signals since January 1, 2025. Significant 2024–2025 amendments added consumer health data protections and children’s online safety provisions, including a prohibition on features designed to increase minors’ usage such as endless scrolling. Cure period expired December 31, 2024.^[6] A further major overhaul (SB 1295, effective July 1, 2026) substantially expands the law: the applicability threshold is lowered from 100,000 to 35,000 consumers (or any entity that sells personal data regardless of volume); neural data is added to the sensitive data category requiring opt-in consent; and privacy notices must disclose whether a controller engages in profiling and whether personal data is used to train large language models.^[31]

Beyond the comprehensive law: children’s online-safety provisions in the CTDPA bar design features that increase minors’ usage (e.g., endless scrolling). On June 2, 2026, Governor Lamont signed SB 5, Public Act 26-15, the Connecticut Artificial Intelligence Responsibility and Transparency Act (CART Act), one of the most comprehensive state AI laws to date. Its youth online-safety provisions require social media platforms to make a “commercially reasonable and technically feasible” effort to verify whether a user is a minor (under 18), obtain parental consent before enabling an algorithmic feed for a minor, impose a default one-hour daily limit on personalized content, and bar notifications to minors between 9:00 p.m. and 8:00 a.m.; platforms must delete age-verification data immediately after use, and the youth provisions take effect January 1, 2028. The Act also regulates AI companion chatbots (effective January 1, 2027) and automated employment decision tools. Proposed: SB 4 would add a California-style data-broker registration regime, ban the sale of geolocation data, and add facial-recognition provisions.^[49]^[62]

Utah – UCPA

The Utah Consumer Privacy Act, signed March 24, 2022 and effective December 31, 2023, has been characterized as among the most business-friendly of the early comprehensive privacy laws. Uses an opt-out model for both general and sensitive data (no opt-in required for sensitive data, unlike most states). Higher threshold: $25 million annual revenue AND processing data of 100,000+ consumers. Does not require data protection assessments. Utah AI Policy Act provisions updating the UCPA framework take effect July 1, 2026.^[7]

Beyond the comprehensive law: Utah is the most active state across this directory’s non-privacy topics. Adult-content age verification: in force. Social media: the Social Media Regulation Act (SB 152 / HB 311, re-enacted as SB 194 / HB 464) requires parental consent for minors and imposes a default overnight curfew; enjoined, on appeal. App store: the App Store Accountability Act (SB 142), the first such law in force (May 2026), requires app-store age verification and parental consent for minors. VPN: SB 73 is the first state statute to write VPN circumvention into an age-verification law (a Utah-located user is covered behind a VPN; sites may not explain VPN use), effective May 6, 2026, but Utah agreed not to enforce it until September 3, 2026 after Aylo (Pornhub’s parent) challenged it in court. 4th Amendment / surveillance: Utah’s electronic-information privacy statute and its warrant requirement for geofence and other reverse searches are among the strongest state protections; Utah was also among the first states to require a warrant for police facial recognition, and it requires warrants for drone surveillance and cell-site simulators and regulates ALPRs. AI: the AI Policy Act mandates disclosure of generative-AI interactions.^[50]^[51]^[44]^[52]^[54]^[55]

Iowa – ICDPA

The Iowa Consumer Data Protection Act, signed March 29, 2023 and effective January 1, 2025, is among the most business-friendly comprehensive privacy laws enacted to date. It does not grant consumers the right to correct personal data or opt out of profiling. Uses opt-out (not opt-in) for sensitive data. Features a 90-day cure period – one of the longest of any state. No data protection assessment requirement. Enforced exclusively by the Iowa Attorney General.^[8]

Beyond the comprehensive law: Iowa has no separate adult-content age-verification, social-media, app-store, VPN, biometric, or AI statute; its privacy regime is limited to the business-friendly ICDPA. Police surveillance tech: Iowa requires a warrant for drone surveillance.^[55]

Indiana – ICDPA

The Indiana Consumer Data Protection Act, signed May 1, 2023 and effective January 1, 2026, largely mirrors the Virginia model. Applies to entities processing data of 100,000+ Indiana residents or 25,000+ where 50%+ of revenue is from data sales. Features a permanent 30-day cure period that does not sunset. Standard consumer rights package enforced by the Indiana Attorney General.^[9]

Beyond the comprehensive law: Adult-content age verification: Indiana’s SEA 17 (effective 2024) requires age verification for sites with a substantial portion of material harmful to minors; enforcement was briefly paused by litigation. No social-media, app-store, or VPN statute. Police surveillance tech: Indiana requires a warrant for drone surveillance.^[50]^[55]

Tennessee – TIPA

The Tennessee Information Protection Act, signed May 11, 2023 and effective July 1, 2025, is the first state to formally incorporate the NIST Privacy Framework as a compliance tool – alignment with the framework serves as an affirmative defense against enforcement actions. Features among the highest applicability thresholds: $25 million revenue AND 175,000+ consumers. 60-day cure period. Fully exempts state-licensed insurance companies.^[10]

Beyond the comprehensive law: Adult-content age verification: in force (2025). Social media: the Protecting Children from Social Media Act requires age verification and parental consent for minors, in force January 1, 2025. No app-store or VPN statute. Police surveillance tech: Tennessee requires warrants for drone surveillance and cell-site simulators.^[50]^[51]^[55]^[56]

Montana – MTCDPA

The Montana Consumer Data Privacy Act, signed May 19, 2023 (passed unanimously) and effective October 1, 2024, reflects Montana’s small population with a low applicability threshold of 50,000 consumers. Significant 2025 amendments (SB 297, effective October 1, 2025): removed all applicability thresholds for minor protections under age 18, eliminated the Gramm-Leach-Bliley financial institution exemption, and closed the cure period six months early.^[11]

Beyond the comprehensive law: Adult-content age verification: Montana’s SB 544 requires age verification for sites with material harmful to minors (in force). The MTCDPA’s minor protections apply with no thresholds for users under 18. No social-media, app-store, or VPN statute. Police surveillance tech: Montana was among the first states to require a warrant for police facial recognition, requires warrants for drone surveillance, and regulates ALPRs.^[50]^[54]^[55]

Texas – TDPSA

The Texas Data Privacy and Security Act, signed June 18, 2023 and effective July 1, 2024, covers the largest state by population after California. Texas stands out for having no revenue threshold and no minimum consumer data processing threshold – it applies to all non-exempt entities that conduct business in Texas and process or sell personal data (with a small business exemption). The Texas AG has been among the most active enforcers, announcing a $1.4 billion settlement with Meta in July 2024 for CUBI biometric violations – the largest biometric privacy settlement in history – and filing the first TDPSA enforcement action on January 13, 2025, against Allstate and its subsidiary Arity for processing precise geolocation data from 45+ million consumers without consent.^[12]^[32]

Texas has enacted several additional privacy-adjacent laws since the TDPSA. The Texas Responsible Artificial Intelligence Governance Act (TRAIGA), effective January 1, 2026, imposes obligations on AI developers and deployers and requires government entities to clearly disclose AI interactions to the public before or at the time of the interaction.^[33] The Electronic Health Records Data Localization Law (S.B. 1188), signed June 20, 2025 and effective January 1, 2026, mandates that all electronic health records be physically stored on servers located in the United States (offshore storage is banned, though offshore access with safeguards remains permissible) and imposes requirements on AI tools used in clinical decision-making.^[34] The Texas Genomic Act of 2025 (HB 130), signed May 2025, restricts the collection and transfer of genome sequencing data to entities connected to designated foreign adversaries including China, Russia, Iran, Cuba, North Korea, and Venezuela.^[33] Finally, the App Store Accountability Act (SB 2420), which would have required app stores to verify users’ ages and obtain parental consent before minors could download apps or make in-app purchases, was enjoined on December 23, 2025 by the U.S. District Court for the Western District of Texas and is currently blocked pending litigation.^[35]

More state laws by topic: Adult-content age verification: HB 1181, upheld by the U.S. Supreme Court in Free Speech Coalition v. Paxton (June 27, 2025) and in force (Texas also mandates a health warning). Social media: the SCOPE Act (HB 18) requires age verification and parental tools for known minors on large platforms; portions have been enjoined in ongoing First Amendment litigation. Biometric: CUBI (the basis of the $1.4B Meta settlement). No VPN statute. Police surveillance tech: Texas requires a warrant for drone surveillance.^[36]^[51]^[55]

Oregon – OCPA

The Oregon Consumer Privacy Act, signed July 18, 2023 and effective July 1, 2024 (nonprofits: July 1, 2025), is one of the few comprehensive state privacy laws that covers nonprofit organizations. Features the broadest definition of “sensitive data” among all states – uniquely including transgender or non-binary status and crime victim status. Requires controllers to disclose the specific third parties (not just categories) that received a consumer’s data. Penalties up to $7,500 per violation.^[13]

Beyond the comprehensive law: Oregon has no separate adult-content age-verification, social-media, app-store, or VPN statute; its broad “sensitive data” definition and specific-third-party disclosure rule are its distinctive features. Police surveillance tech: Oregon’s SB 1516 (signed March 31, 2026) caps police ALPR retention at 30 days and limits inter-agency sharing, and Oregon requires a warrant for drone surveillance. Proposed: an amendment barring the sale of precise geolocation within a 1,750-foot radius.^[53]^[55]^[49]

Delaware – DPDPA

The Delaware Personal Data Privacy Act, signed September 11, 2023 and effective January 1, 2025, is considered one of the strongest state privacy laws. Covers nonprofits and institutions of higher education (unlike most states). Special protections for minors: parental consent required for those under 13, direct consent from teens aged 13–17 for targeted advertising or data sales. Low threshold: 35,000 consumers or 10,000 with 20%+ revenue from data sales.^[14]

Beyond the comprehensive law: Delaware has no separate adult-content age-verification, social-media, app-store, or VPN statute; minors are protected through the DPDPA (parental consent under 13; teen consent 13–17 for targeted ads/sales).

Florida – FDBR

The Florida Digital Bill of Rights, signed June 6, 2023 and effective July 1, 2024, has the narrowest applicability of any state – it applies only to entities with $1 billion+ in annual gross revenue, meaning very few companies are covered. Includes unique provisions prohibiting government employees from contacting social media platforms to request content removal. Some trackers do not classify it as truly “comprehensive” due to its narrow scope.^[15]

Beyond the comprehensive law: Age verification / social media: Florida’s HB 3 is among the most aggressive in the country, prohibiting accounts for users under 14 and requiring parental consent at 14–15, plus age verification for sites with material harmful to minors; a June 2025 injunction was stayed on appeal and key provisions are currently enforceable pending litigation. Free speech: the FDBR bars government employees from contacting platforms to request content removal. No app-store or VPN statute. Police surveillance tech: Florida requires a warrant for drone surveillance.^[51]^[50]^[55]

New Hampshire – NHPA

The New Hampshire Privacy Act, signed March 6, 2024 and effective January 1, 2025, features a strong anti-dark-patterns provision: consent must be a “clear affirmative act” and cannot be obtained through acceptance of general terms, hovering, closing content, or dark patterns. Heightened protections for teens aged 13–16 (targeted advertising and data sales prohibited without consent). Cure period expired December 31, 2025.^[16]

Beyond the comprehensive law: New Hampshire has no separate adult-content age-verification, social-media, app-store, or VPN statute; its distinctive features are the strong anti-dark-patterns consent rule and teen (13–16) protections in the NHPA. Police surveillance tech: New Hampshire restricts government use of ALPRs.^[53]

New Jersey – NJDPA

The New Jersey Data Protection Act, signed January 16, 2024 and effective January 15, 2025, is the first state to include both an opt-in requirement for profiling of children AND apply minor protections up to age 17 (not just under 13 as in COPPA). Covers nonprofits with no nonprofit exemption. Broad AG rulemaking authority. No revenue threshold. 18-month transitional enforcement period with 30-day cure window through approximately July 2026.^[17]

Beyond the comprehensive law: New Jersey has no separate adult-content age-verification, social-media, app-store, or VPN statute; its distinctive feature is the strongest minor protection of any comprehensive law, opt-in for profiling of, and protections extending to, anyone under 18. Police surveillance tech: New Jersey imposes warrant/notice limits on police facial recognition.^[54]

Kentucky – KCDPA

The Kentucky Consumer Data Protection Act, signed April 4, 2024 and effective January 1, 2026, largely mirrors the Virginia model. Features a permanent (non-sunsetting) 30-day cure period, one of the most business-friendly enforcement provisions. Standard applicability: 100,000 consumers or 25,000 with 50%+ revenue from data sales. Data protection assessment requirements for higher-risk processing.^[18]

Beyond the comprehensive law: Adult-content age verification: Kentucky’s HB 278 requires age verification for sites with material harmful to minors (in force 2024), with a requirement that personal data be deleted after an access review. No social-media, app-store, or VPN statute.^[50]

Maryland – MODPA

The Maryland Online Data Privacy Act, signed May 2024 and effective October 1, 2025, is considered one of the most restrictive state privacy laws, imposing significant compliance requirements. Key distinctions: (1) prohibits the sale of sensitive data entirely, regardless of consent – a unique approach where consent does not override the prohibition; (2) strict data minimization requiring collection to be “reasonably necessary and proportionate”; (3) unique anti-discrimination provision; (4) prohibits advertising/sale of data for anyone under 18; (5) regulates consumer health data including gender-affirming treatment and reproductive health data.^[19]

Beyond the comprehensive law: Maryland has no separate adult-content age-verification, social-media, app-store, or VPN statute; its data-minimization mandate, outright ban on selling sensitive data (consent cannot override), and under-18 advertising/sale ban are its distinctive features. Police surveillance tech: Maryland enacted what are widely regarded as the strongest police facial-recognition rules in the country (including notice to defendants when the technology was used) and imposes a warrant requirement for cell-site simulators. Proposed: HB 711, addressing data use in immigration enforcement.^[54]^[56]^[49]

Minnesota – MCDPA

The Minnesota Consumer Data Privacy Act, signed May 24, 2024 and effective July 31, 2025, contains a unique right to question profiling – including the right to ask for results of profiling and challenge inaccurate information, especially regarding automated decisions affecting access to jobs, housing, education, insurance, or essential services. First state to require controllers to designate a chief privacy officer and include their contact information in privacy policies. The 30-day cure period expired January 31, 2026, giving the AG immediate enforcement discretion without a mandatory cure window. Minnesota and Colorado are expected to emerge as active enforcement states in 2026. Penalties up to $7,500 per violation.^[20]

Beyond the comprehensive law: Minnesota has no separate adult-content age-verification, social-media, app-store, or VPN statute; its distinctive features are the right to question profiling/automated decisions and the mandatory chief-privacy-officer designation. Police surveillance tech: Minnesota imposes limits on police facial recognition and requires warrants for drone surveillance and cell-site simulators.^[54]^[55]^[56]

Nebraska – NDPA

The Nebraska Data Privacy Act, signed April 17, 2024 and effective January 1, 2025, has no revenue threshold and no minimum consumer data processing threshold (similar to Texas), applying broadly to any person conducting business in Nebraska that processes or sells personal data – with a small business exemption per the federal Small Business Act. The exemption does not apply if the business sells sensitive data without consent. Permanent 30-day cure period. Known child data classified as sensitive data requiring opt-in consent.^[21] In April 2026, Governor Pillen signed LB 838, amending Nebraska’s Age-Appropriate Online Design Code Act and broadening its applicability.^[43]

Beyond the comprehensive law: Adult-content age verification: in force (2024). Social media: LB 383 (Parental Rights in Social Media Act) requires age verification and parental consent for under-18s, effective July 1, 2026, alongside the Age-Appropriate Online Design Code. No app-store or VPN statute.^[50]^[51]

Rhode Island – RIDTPPA

The Rhode Island Data Transparency and Privacy Protection Act, transmitted without the governor’s signature June 28, 2024 and effective January 1, 2026, features a unique two-tiered applicability structure: Tier One applies transparency requirements to any commercial website or ISP that sells personally identifiable information; Tier Two applies full requirements to for-profit entities processing data of 35,000+ Rhode Island residents. Rhode Island is among the strictest states with no cure period – businesses must be in compliance from day one. Penalties up to $10,000 per violation (higher than the standard $7,500).^[22]

Beyond the comprehensive law: Rhode Island has no separate adult-content age-verification, social-media, app-store, or VPN statute; its distinctive features are the two-tier applicability, the absence of any cure period, and the higher $10,000 penalty.

Oklahoma – OCDPA (SB 546)

The Oklahoma Consumer Data Privacy Act, signed by Governor Kevin Stitt on March 20, 2026 and effective January 1, 2027, follows the Virginia template. Applies to controllers processing data of 100,000+ Oklahomans, or 25,000+ where 50%+ of revenue derives from data sales. Standard consumer rights (access, correct, delete, opt out of targeted advertising / sale / profiling) and opt-in for sensitive data. Enforced exclusively by the Oklahoma Attorney General with civil penalties up to $7,500 per violation; 30-day cure period that sunsets after an initial period.^[41]

Beyond the comprehensive law: Adult-content age verification: Oklahoma requires age verification for sites with material harmful to minors (in force 2024). No social-media, app-store, or VPN statute.^[50]

Alabama – APDPA (HB 351)

The Alabama Personal Data Protection Act, signed by Governor Kay Ivey on April 17, 2026 (passed unanimously: House 104–0, Senate 34–0) and effective May 1, 2027, made Alabama the most recent state to enact a comprehensive privacy law. Affirmative consumer consent is required for processing sensitive data, defined to include racial/ethnic origin, religious beliefs, health conditions, sexual orientation, citizenship status, and precise geolocation. Departures from the Virginia template appear in applicability thresholds, the definition of “sale,” and entity-level exemptions. AG-only enforcement; 30-day cure period.^[42]

Beyond the comprehensive law: Adult-content age verification: Alabama requires age verification for sites with material harmful to minors (in force 2024) and mandates a health warning. App store: the App Store Accountability Act (HB 161), signed February 2026 and effective January 1, 2027, defines four age brackets, requires minor accounts to be affiliated with a verified parent, and conditions downloads/in-app purchases on verifiable parental consent. No VPN statute. Police surveillance tech: Alabama imposes warrant/notice limits on police facial recognition.^[50]^[37]^[54]

Louisiana – LDPA (SB 386 / Act 502)

The Louisiana Data Privacy Act, signed as Act 502 on May 29, 2026 and effective January 1, 2027, made Louisiana the most recent state to enact a comprehensive privacy law (House 94–0, Senate concurred 34–0). It applies to entities meeting at least one threshold: $25 million in annual revenue, processing data of 75,000+ consumers, or deriving 50%+ of revenue from selling personal data. Standard consumer rights (access, correct, delete, portability, opt out of sale / targeted advertising / profiling) with opt-in for sensitive data. Enforced exclusively by the Attorney General (no private right of action) with violations treated as unfair/deceptive trade practices (civil penalties, attorney fees, and treble damages for willful conduct). A temporary 30-day cure period runs through July 31, 2027, then sunsets.^[58]

Beyond the comprehensive law: Louisiana is a national pioneer in age-verification mandates. Adult-content age verification: Act 440 (HB 142), effective January 1, 2023, was the first such law in the nation and the template most other states copied (sites with at least one-third material harmful to minors must verify age). Social media: the Secure Online Child Interaction and Age Limitation Act (SB 162, 2023) required age verification and parental consent for users under 16 on large platforms, but was struck down as unconstitutional in December 2025 (NetChoice). App store: the Online Protections for Minors law (HB 977) requires app stores to verify age and obtain parental consent for minors. No VPN statute.^[50]^[51]

Sector-Specific State Privacy Laws

Beyond comprehensive consumer privacy laws, several sector-specific state statutes have had significant impact on privacy enforcement and litigation.

Illinois BIPA (Biometric Information Privacy Act, 2008)

Illinois BIPA is the most litigated privacy statute in the United States. Enacted in 2008, it regulates the collection, use, storage, and destruction of biometric identifiers (fingerprints, retina/iris scans, voiceprints, face geometry scans). BIPA is the only biometric privacy law with a private right of action, which has generated massive litigation: damages of $1,000 per negligent violation and $5,000 per intentional or reckless violation.^[23]

A 2024 amendment (SB 2979, signed August 2, 2024) limits damages by redefining repeated collection or transmission of the same biometric data by the same party as a single violation – previously, each individual scan could constitute a separate violation, creating enormous potential liability. Despite this amendment, BIPA remains the most actively litigated privacy statute in the country. Notable settlements include $51.75 million (nationwide class, 2024), $47.5 million (facial recognition), and $8.75 million (student data).^[23]

Washington My Health My Data Act (MHMDA, 2023)

Enacted in 2023 and effective March 31, 2024 (large businesses) and June 30, 2024 (small businesses), the MHMDA broadly regulates collection, use, and sale of “consumer health data” – defined expansively to include data used to identify physical or mental health status, including reproductive health, gender-affirming care, and more. Features a broad private right of action with presumptions benefiting plaintiffs; any violation is a per se violation of the Washington Consumer Protection Act. Notably prohibits geofencing around health care facilities. Enacted in response to Dobbs concerns about reproductive health data.^[24]

Texas CUBI (Capture or Use of Biometric Identifier Act)

Originally enacted in 2001 (expanded 2009), Texas CUBI regulates biometric identifiers including retina/iris scans, fingerprints, voiceprints, and hand/face geometry. No private right of action – the Texas AG has exclusive enforcement with penalties up to $25,000 per violation. The statute gained national prominence through the $1.4 billion Meta settlement described above, which specifically concerned Meta’s unauthorized capture of facial geometry data through Facebook’s photo-tagging feature in violation of CUBI.^[25]

California Age-Appropriate Design Code Act (CAADCA / AB 2273)

Enacted September 15, 2022, the CAADCA requires online services “likely to be accessed by children” to configure default privacy settings to high privacy, assess whether algorithms or data collection could harm children, and use age-appropriate language. Modeled on the UK’s Age-Appropriate Design Code. However, a preliminary injunction was issued in September 2023 by the Northern District of California in NetChoice v. Bonta, blocking enforcement on First Amendment grounds. On appeal, the Ninth Circuit vacated most of that injunction in August 2024 (leaving only the block on the data-protection-impact-assessment requirement), then in a March 12, 2026 ruling struck additional data-use and dark-pattern provisions as unconstitutionally vague while clearing others to take effect.^[26]

Children’s Social Media and Age Verification Laws

At least 19 states have enacted laws restricting minors’ social media access, requiring age verification and/or parental consent. Early movers included Arkansas, California, Texas, Florida, Georgia, Louisiana, Mississippi, Ohio, Tennessee, and Utah. Utah’s App Store Age Verification Law was the first to require app store providers to verify all users’ ages and obtain parental consent for minors’ downloads. Many of these laws face ongoing First Amendment challenges, with mixed outcomes: Georgia SB 351 was preliminarily enjoined on June 26, 2025 (now on appeal to the Eleventh Circuit), and Virginia SB 854 was preliminarily enjoined on February 27, 2026 after taking effect January 1 (Virginia has appealed); meanwhile the Ninth Circuit upheld the core provisions of California SB 976 in September 2025, with its addictive-feeds and default-privacy rules taking effect in 2026.^[27]

Adult content age verification: Separately, approximately 26 states have enacted age-verification requirements for accessing adult content, the most recent being West Virginia (HB 4412, effective June 12, 2026). On June 27, 2025 in Free Speech Coalition v. Paxton, the U.S. Supreme Court upheld Texas H.B. 1181 6–3 under intermediate scrutiny, removing the principal federal constitutional obstacle to adult content age verification at the state level. The ruling has accelerated enactment in additional states and shifted remaining First Amendment litigation to as-applied and data-protection grounds.^[36]

California’s AB 1043 (Digital Age Assurance Act), signed October 13, 2025 and effective January 1, 2027, takes the most novel approach: it operates at the operating system level, requiring every OS provider (including Linux distributions and SteamOS) to collect age at account setup and expose a real-time API categorizing users into four age brackets (under 13, 13–15, 16–17, 18+) for use by app developers. Texas passed a similar App Store Accountability Act (SB 2420) for age verification and parental consent at the app store level, but that law was enjoined on December 23, 2025 by the Western District of Texas and remains blocked.^[35]

2026 legislative wave: The first months of 2026 added several states to the age-verification landscape. Alabama HB 161 (App Store Accountability Act) was signed by Governor Kay Ivey in February 2026 and takes effect January 1, 2027; the Act defines four age categories (under 13; 13–15; 16–17; 18+), requires app stores to affiliate minor accounts with a verified parent, and conditions app downloads and in-app purchases on verifiable parental consent. Nebraska LB 383 (Parental Rights in Social Media Act) takes effect July 1, 2026, requiring platforms to verify all users’ ages and obtain parental consent for anyone under 18. Massachusetts became the first New England state to advance a minimum-age social media bill: on April 8, 2026 the state House passed legislation 129–25 that would prohibit accounts for users under 14, require parental approval for ages 14–15, mandate platform-side age verification, and ban cellphone use during the school day; the bill now awaits Senate consideration. In Wisconsin, Governor Tony Evers vetoed Assembly Bill 105 in April 2026, calling the adult-content age-verification scheme “a violation of personal privacy.”^[37]^[38]^[39]^[40]

AI companion chatbots: A parallel 2026 front extends children’s online-safety regulation beyond social media to AI companion chatbots. California SB 243, signed October 13, 2025 and effective January 1, 2026, is the first state law dedicated to companion chatbots: operators must disclose to known minors that they are interacting with AI, issue break reminders at least every three hours, maintain protocols that refer users expressing suicidal ideation or self-harm to crisis services, and take reasonable measures to block sexually explicit output to minors. It carries a private right of action. New York’s AI Companion Models law (Gen. Bus. Law §1700 et seq.), effective November 5, 2025, imposes similar safeguards but is enforceable only by the Attorney General. The two statutes opened a new regulatory category that several additional states began modeling in 2026 sessions.^[47]^[48]

VPN Circumvention: Utah SB 73 and the State VPN Front

Utah SB 73 (Online Age Verification Amendments), signed by Governor Spencer Cox on March 19, 2026 and effective May 6, 2026, is the first US state law to legally target VPN use as an age-verification circumvention vector. The Act treats a user as accessing a covered website “from Utah” whenever the user is physically located in Utah, regardless of any VPN, proxy, or geolocation-masking tool, shifting compliance liability onto adult-content sites for users who tunnel in. The law also forbids covered sites from facilitating, encouraging, or providing instructions on VPN use to bypass age verification, a speech restriction the Electronic Frontier Foundation has called “a technical whack-a-mole that likely no company can win,” with comprehensive VPN IP blocklists infeasible at scale. Civil-liberties analysts estimate roughly a 60% probability that the VPN provisions will be struck down on First Amendment or Commerce Clause grounds; legal challenges are expected.^[44]

Wisconsin AB 105: Wisconsin briefly advanced a comparable VPN-targeting provision in early 2026, but on February 19, 2026 the bill’s lead sponsor, Rep. Brent Jacobson, agreed to strip the VPN language after pushback from digital-rights groups, VPN providers, and constituents (“the VPN provision went too far”). Governor Evers then vetoed the residual age-verification bill on April 3, 2026, objecting to its “intrusion into the personal privacy of Wisconsin residents” and proposing device-based age verification (verification on the user’s own device, without submitting ID or biometrics to platforms) as a more privacy-protective alternative. No Wisconsin VPN restriction or age-verification mandate is in force.^[45]

Michigan HB 4938 (Anticorruption of Public Morals Act): Introduced September 11, 2025 by six Republican representatives, this proposed bill would go substantially further than Utah by directly obligating internet service providers to monitor for and block “circumvention tools,” explicitly including VPNs, proxies, and encrypted tunnels, with civil penalties up to $500,000 per violation. Promotion or sale of circumvention tools is also banned. As of May 2026 the bill has not been scheduled for a hearing.^[46]

State Surveillance & Police-Technology Laws

Separate from consumer-privacy statutes, a growing body of state law regulates how state and local government may conduct surveillance, frequently supplying Fourth-Amendment-style warrant protections that federal law does not. These laws apply regardless of whether a state has a comprehensive privacy law, so they are organized here by technology, with the relevant states named under each.

Electronic Data, Geofence & Reverse Warrants

California’s CalECPA requires a warrant for electronic communications, metadata, and device data, the broadest state electronic-privacy statute. Utah enacted the first statute generally requiring a warrant for geofence and other reverse searches and protects stored electronic data. The constitutionality of geofence/reverse-search warrants is the subject of a circuit split and pending Supreme Court review (2026).^[52]

Automated License Plate Readers (ALPR)

At least 16 states regulate ALPRs (roughly eight limit retention, six restrict government use). 2026 brought a wave driven by the spread of Flock Safety’s nationwide camera network: Washington’s SB 6002 (signed March 30, 2026) mandates deletion of ALPR data after 21 days; Oregon’s SB 1516 (signed March 31, 2026) caps retention at 30 days and logs and limits inter-agency sharing. California (SB 34) caps Highway Patrol retention at 60 days, and pending legislation would bar sharing ALPR data with out-of-state or federal agencies without a warrant. Maine, New Hampshire, Vermont, Montana, and Arkansas also regulate ALPRs; several states are simultaneously moving to shield ALPR data from public-records disclosure.^[53]

Facial Recognition

By 2026, roughly 15 states limit police use of facial recognition. Seven impose the strongest limits: Colorado, Maryland, Maine, Montana, Utah, Virginia, and Washington. Montana and Utah were the first to require a warrant; Maryland’s rules (including notice to defendants when the technology was used) are considered the strongest; Virginia’s warrant-audit-reporting law takes effect July 1, 2026. Alabama, Illinois, Minnesota, Massachusetts, New Jersey, and Vermont add warrant, notice, or serious-crime limits. More than 16 cities ban police use entirely (Milwaukee paused use in February 2026), and Illinois (HB 5521) is weighing a statewide police ban.^[54]

Drone (UAS) Surveillance

At least 18 states require a search warrant for law-enforcement drone surveillance: Alaska, Florida, Idaho, Illinois, Indiana, Iowa, Maine, Montana, Nevada, North Carolina, North Dakota, Oregon, Tennessee, Texas, Utah, Vermont, Virginia, and Wisconsin. About 24 states have drone-privacy legislation overall, typically with exceptions for exigent circumstances, search-and-rescue, and similar emergencies.^[55]

Cell-Site Simulators (“Stingrays”)

At least a dozen states require a probable-cause warrant before police may deploy a cell-site simulator / IMSI catcher, including California, Washington, Utah, Virginia, Illinois, Minnesota, and Tennessee; Maryland imposes a warrant requirement through court decisions. In California, CalECPA’s electronic-data warrant covers cell-site-simulator use.^[56]^[52]

Government Purchase of Commercial Data

State-level “Fourth Amendment Is Not For Sale”-style limits on government purchase of commercial or location data remain rare, but the trend is building: California’s pending ALPR out-of-state-sharing restriction and 2026 data-broker bills (e.g., Connecticut SB 4, Maryland) point toward more states constraining government access to brokered data and data-broker-to-government transfers.^[49]

States Without Comprehensive Privacy Laws

Lacking a comprehensive consumer-privacy statute does not mean a state lacks privacy or surveillance legislation. Many of the states below have enacted adult-content age-verification, social-media, biometric, AI, or VPN-related laws even without an omnibus privacy framework:

New York: The NY Privacy Act has been introduced repeatedly but not enacted. New York does have the SHIELD Act (data security and breach notification); the AI Companion Models law (Gen. Bus. Law §1700 et seq., effective November 5, 2025, AG-enforced chatbot safeguards for minors); the Safe By Design Act (enacted through the FY2027 budget in May 2026, sponsored by Sen. Andrew Gounardes), which imposes default child-safety design measures on social-media, gaming, and messaging platforms (parental consent for under-13s, default protections for under-17s, limits on adult-to-minor contact and on access to a minor’s geolocation, and AI companions off by default for minors) without requiring age verification; and the RAISE Act on frontier-AI safety. No comprehensive privacy or adult-content age-verification law.^[47]^[63]
Illinois: Home of the nation’s strongest biometric law, BIPA (private right of action; the basis of multiple nine-figure settlements), plus the AI Video Interview Act. The Children’s Online Social Media Safety Act (HB 5511, “Digital Age Assurance”) passed both chambers (House 82–27 in April; Senate 57–0 and House concurrence 113–0 on June 3, 2026) and awaits Governor Pritzker’s signature; like California’s AB 1043 it verifies age at the operating-system level (parents set the child’s age at device setup), bars algorithmic feeds for minors built on viewing history or stored device data, mandates default privacy settings and precise-location shielding, and prohibits notifications between 10 p.m. and 7 a.m., with AG enforcement ($2,500 unintentional / $7,500 intentional per child) and a 2028 effective date. SB 315, a frontier-AI transparency bill, passed the General Assembly and awaits enactment. No comprehensive privacy or adult-content age-verification law.^[49]^[63]
Massachusetts: No comprehensive law enacted, but one is now close. On June 4, 2026 the House unanimously passed (146–0) the Massachusetts Consumer Data Privacy Act (H.5472): data-minimization, access/correction/deletion/portability rights, opt-out of targeted advertising, a ban on the sale of precise geolocation data, a ban on targeted advertising to minors, AG rulemaking authority, and a private right of action against the largest data holders (100,000-consumer threshold). It now goes to a conference committee to be reconciled with the Senate version (S.2608, passed 40–0), so it is not yet law. Separately, on April 8, 2026 the House passed (129–25) a social-media bill banning accounts for users under 14, requiring parental approval at 14–15, mandating platform-side age verification, and banning school-day cellphone use.^[57]^[39]
Washington: The My Health My Data Act (consumer health data, with a private right of action) and a biometric privacy law (HB 1493), but no comprehensive omnibus consumer-privacy law.
Michigan: No comprehensive law. HB 4938 (Anticorruption of Public Morals Act), proposed September 11, 2025, would obligate ISPs to detect and block VPNs, proxies, and encrypted tunnels ($500,000 penalties); stalled with no committee hearing.^[46]
Wisconsin: No comprehensive law. Age-verification bill AB 105 (its VPN-blocking provision stripped in February 2026) was vetoed by Gov. Evers on April 3, 2026, who proposed device-based age verification instead.^[45]
Ohio: No comprehensive privacy law, but adult-content age verification is in force (with periodic re-verification), and the Social Media Parental Notification Act was struck down/enjoined on First Amendment grounds.^[50]^[51]
Georgia: No comprehensive privacy law, but adult-content age verification is in force; its social-media age-verification law (SB 351) was preliminarily enjoined June 26, 2025.^[50]^[51]
North Carolina: No comprehensive privacy law, but adult-content age verification is in force (2024). Social media: House Bill 301 (passed the House 106–6 in 2025) would bar social-media accounts for children under 14 and require parental consent at 14–15, with platform-side age verification, civil penalties up to $50,000 per violation, and up to $10,000 in damages per minor; in early June 2026 it was rewritten to apply only to “addictive” algorithmic platforms and advanced in a state Senate committee (it also adds AI-literacy standards for schools). Not yet enacted.^[50]^[64]
Pennsylvania: No comprehensive privacy law and no adult-content age-verification statute, though privacy and AI bills are recurrently introduced.
New Mexico: No comprehensive privacy law (the Digital Age Verification Act, HB 313, and successive Artificial Intelligence Act bills, HB 60 in 2025 and HB 28 in 2026, all failed). But in a lawsuit Attorney General Raúl Torrez filed in December 2023, a Santa Fe jury on March 24, 2026 found Meta liable under the state Unfair Practices Act and ordered it to pay $375 million in civil penalties (the maximum $5,000 per violation) for misleading users about platform safety while children were targeted by predators, the first US trial verdict against a social-media platform over child exploitation. A second, abatement phase opened May 4, 2026, with the Attorney General seeking to declare Meta a public nuisance, recover up to $3.7 billion, and force design changes including mandatory age verification, predator removal, and limits on encrypted messaging for minors.^[65]
Hawaii: No comprehensive privacy law and no enacted age-verification statute. In the 2026 session the legislature passed SB 3001, an AI-companion-chatbot safety act (operator disclosures, self-harm-response protocols, minor protections), which was enrolled to Governor Josh Green on May 8, 2026 and awaited his signature or veto as of mid-2026. A bill barring under-16s from social media (SB 2761) was deferred indefinitely over free-speech concerns, and an adult-content age-verification bill (HB 1212) carried over without enactment.^[66]

Adult-content age-verification states without a comprehensive privacy law: beyond Ohio, Georgia, and North Carolina above, the following have enacted adult-content age-verification laws (in force) without an omnibus privacy statute: Mississippi (whose social-media age-verification law took effect after the Supreme Court declined to block it in August 2025, though it remains under appeal), Arkansas (whose Social Media Safety Act was blocked as unconstitutional in NetChoice v. Griffin), Idaho, Wyoming (which covers any amount of adult content), Kansas (a lower 25% threshold), South Carolina, South Dakota, North Dakota, Missouri, Arizona, and West Virginia (HB 4412, the 26th such state, effective June 12, 2026). (Louisiana, which pioneered the adult-content age-verification model in 2023, has since enacted a comprehensive privacy law (Act 502, signed May 29, 2026) and now appears in the table above.) The 2025 Supreme Court decision in Free Speech Coalition v. Paxton upheld this model under intermediate scrutiny, accelerating enactment.^[50]^[51]^[36]

Key Trends (June 2026)

1. The Virginia Model Dominates

Fifteen or more states have followed the template established by Virginia: AG-only enforcement, no private right of action, opt-in for sensitive data, opt-out for general processing, and data protection assessments for high-risk activities. This convergence provides some degree of harmonization across states but entrenches a framework that consumer advocates consider insufficiently protective.^[2]

2. California Remains the Outlier

With its dedicated enforcement agency, private right of action, and the broad consumer rights described above, California’s framework is significantly more complex than any other state’s. The CPPA’s 2026 regulations on automated decision-making are the first US state regulations to address this area in detail.^[3]

3. Maryland Takes a Distinct Approach

MODPA’s prohibition on selling sensitive data regardless of consent, strict data minimization requirements, and anti-discrimination provisions represent the direction consumer privacy advocacy is pushing. Maryland’s approach represents a different model from the opt-out model toward substantive restrictions on data practices that cannot be overridden by consent.^[19]

4. Universal Opt-Out Mechanisms Are Becoming Standard

California, Colorado, Connecticut, Oregon, Delaware, Maryland, Minnesota, Montana, New Hampshire, New Jersey, and Texas now require recognition of universal opt-out preference signals such as the Global Privacy Control (GPC). This standardization reduces friction for consumers and creates a technical expectation that companies must honor browser-level privacy preferences.^[28]

5. Children’s Privacy Is a Rapidly Expanding Area

Nearly every new state privacy law includes enhanced protections for minors. Standalone children’s online safety and social media laws are proliferating, with at least 19 states enacting restrictions. Age-appropriate design codes, dark pattern prohibitions for minors, and restrictions on targeted advertising to children are becoming standard features of new legislation.^[27]

6. No Federal Comprehensive Privacy Law

The American Privacy Rights Act (APRA) was introduced in 2024 with bipartisan support but did not advance. The absence of federal legislation means the patchwork of 23 state laws, with differing thresholds, definitions, consumer rights, and enforcement mechanisms, continues to grow, creating significant compliance complexity for companies operating nationally.^[1]

7. Enforcement Is Accelerating

The Texas AG’s $1.4 billion Meta settlement and the CPPA’s expanding enforcement program demonstrate that state-level privacy enforcement has reached a level of financial consequence previously associated only with federal agencies or European DPAs. The expiration of cure periods in Colorado, Connecticut, Montana, New Hampshire, and (as of January 31, 2026) Minnesota gives AGs immediate enforcement authority without the delay of a mandatory cure window. Texas filed its first TDPSA enforcement action in January 2025 (Allstate/Arity geolocation case); California, Texas, Colorado, Connecticut, Maryland, Minnesota, Oregon, and New Jersey are expected to be the most active enforcement states in 2026.^[12]^[32]

8. OS-Level Age Verification: A New Frontier

California’s AB 1043 (effective January 1, 2027) represents the first attempt by any US state to impose age-verification obligations at the operating system layer rather than on individual apps or platforms. By requiring all OS providers to expose a standardized age-bracket API, California is attempting to create infrastructure that would allow any app to access a user’s age category without each app independently conducting age verification. The approach raises unresolved questions about implementation on multi-user devices and open-source operating systems, and Newsom himself has asked the legislature to address these issues before the 2027 effective date. In June 2026 Illinois became the second state to adopt the OS-level model, passing the Children’s Online Social Media Safety Act (HB 5511), which has parents set a child’s age at device setup and then constrains minors’ algorithmic feeds, default privacy, and notifications (awaiting the governor’s signature; effective 2028).^[31]^[63]

9. State-Level VPN Regulation Has Begun

Utah’s SB 73 makes Utah the first US state to write VPN circumvention into its age-verification statute. The model is indirect: rather than banning VPN users, it makes the visited website liable for traffic from a Utah-located user even when the user’s apparent IP is outside Utah, and bars sites from explaining how a VPN works. Wisconsin tried a similar provision and pulled it back. Michigan’s pending HB 4938 takes the more aggressive route of conscripting ISPs to detect and block circumvention tools at the network layer. Whether the Utah model survives constitutional review will determine how aggressively other age-verification states follow.^[44]

Pending Legislation

State legislatures introduced roughly 300 AI bills and ~180 consumer-privacy bills in 2026 sessions. The most active themes mirror this directory’s topic list, and the bills below are tracked weekly (e.g., the Troutman “Proposed State Privacy and AI Law Update” series), since status changes frequently.^[49]

New Comprehensive Privacy Laws

Massachusetts is poised to become roughly the 21st state with a comprehensive consumer-privacy statute. The House passed the Massachusetts Consumer Data Privacy Act (H.5472) by a unanimous 146–0 on June 4, 2026; the Senate had already passed its own version (S.2608, 40–0). A conference committee must now reconcile the two before either chamber’s bill can reach the Governor, so Massachusetts does not yet have an enacted law. The bill is notable for pairing a ban on the sale of precise geolocation data and strong minor protections with a private right of action against the largest data holders, a feature most state privacy laws omit.^[57]

Vermont is one step further along: on May 29, 2026 the legislature passed the Vermont Data Privacy and Online Surveillance Act (S.71) (House 129–3, Senate concurring), and it now awaits Governor Phil Scott’s signature (it would take effect January 1, 2028 if signed). It is the mirror image of the Massachusetts bill on the central fight: lawmakers stripped the private right of action (the provision that drew Scott’s June 2024 veto of the earlier H.121) leaving Attorney-General-only enforcement, but kept a notable ban on geofencing near health and reproductive-care clinics. By contrast, Maine’s comprehensive bill (LD 1822, modeled on Maryland’s MODPA) failed in the House on April 13, 2026, the second consecutive legislature to fall short after heavy business opposition.^[60]^[61]

Data Brokers and Geolocation

Connecticut SB 4, signed into law in 2026 (House 141–6), adds a California-style data-broker registration regime, bans the sale of geolocation data, and adds facial-recognition provisions to the Connecticut Data Privacy Act. There is a broad multistate trend to prohibit selling precise geolocation: Oregon’s amendment bars sale of geolocation within a 1,750-foot radius, and Virginia’s SB 338 (signed 2026) prohibits controllers from selling precise geolocation under the VCDPA. Several states are also weighing tighter limits on government and law-enforcement purchase of broker data.^[49]^[59]

AI Transparency and Automated Decisions

Illinois SB 315, approved by the General Assembly and awaiting enactment, is a frontier-AI transparency bill; Illinois, Connecticut, and New York are finalizing some of the most consequential 2026 AI and automated-decision-making provisions. These complement already-enacted measures such as Texas’s TRAIGA (HB 149, effective January 1, 2026) and California’s ADMT regulations.^[49]

Age Verification, Social Media, and VPNs

The age-verification wave continues into 2026 sessions (app-store accountability, social-media minimum-age, and adult-content verification bills described in the Key Trends section above), along with the first state VPN-circumvention provisions (Utah SB 73 in effect but unenforced until September 3, 2026 pending challenge; Michigan HB 4938 pending). Most face First Amendment and Commerce Clause challenges.^[49]

Sources

[1] IAPP: US State Privacy Legislation Tracker – Comprehensive tracker of state privacy bills, updated regularly; primary reference for the 20-state count and legislative status

[2] Bloomberg Law: State Privacy Legislation Tracker – Analysis of the Virginia model’s dominance and comparison of state law frameworks

[3] Osano: US Data Privacy Laws Guide to 2026 – Overview of all state comprehensive privacy laws including CCPA/CPRA 2026 regulations

[4] Virginia AG: Virginia Consumer Data Protection Act Summary – Official overview of the VCDPA’s requirements and enforcement structure

[5] Colorado Attorney General: Colorado Privacy Act – Official CPA resource including implementing rules and universal opt-out requirements

[6] Connecticut AG: The Connecticut Data Privacy Act – Official CTDPA overview including 2024–2025 amendments on children’s online safety

[7] Utah Division of Consumer Protection: UCPA – Official guide to the Utah Consumer Privacy Act and its business-friendly provisions

[8] Gibson Dunn: Iowa Becomes Sixth State to Enact Comprehensive Privacy Law – Analysis of the ICDPA’s business-friendly provisions and 90-day cure period

[9] Indiana Legislature: SB 5 – Consumer Data Protection – Legislative text and status of the Indiana Consumer Data Protection Act

[10] White & Case: Tennessee Passes Comprehensive Data Privacy Law – Analysis of TIPA’s NIST framework affirmative defense and insurance company exemption

[11] Montana DOJ: Montana Consumer Data Privacy Act – Official resource including 2025 amendments removing minor protection thresholds

[12] Texas AG: Texas Data Privacy and Security Act – Official TDPSA resource; Texas AG enforcement including $1.4B Meta settlement

[13] Oregon DOJ: Privacy Law FAQs for Businesses – Official OCPA resource covering nonprofit coverage and expanded sensitive data definition

[14] Delaware DOJ: Personal Data Privacy Portal FAQs – Official DPDPA resource including minor protection provisions

[15] Florida Senate: SB 262 – Florida Digital Bill of Rights – Legislative text of the FDBR with $1B revenue threshold

[16] New Hampshire DOJ: Data Privacy FAQs (PDF) – Official NHPA resource including anti-dark-patterns provision

[17] NJ Cybersecurity: NJ Data Privacy Act – Official NJDPA resource including children’s profiling opt-in requirements

[18] Kentucky Legislature: HB 15 – Consumer Data Protection – Legislative text and status of the KCDPA

[19] Davis Wright Tremaine: Maryland Online Data Privacy Act Signed – Analysis of MODPA’s sensitive data sale prohibition and strict minimization requirements

[20] Minnesota AG: Data Privacy – Official MCDPA resource including right to question profiling and CPO requirement

[21] White & Case: Nebraska Enacts Comprehensive Data Privacy Law – Analysis of the NDPA’s broad applicability and small business exemption

[22] White & Case: Rhode Island Enacts Data Transparency and Privacy Protection Act – Analysis of RIDTPPA’s two-tiered structure and zero cure period

[23] Illinois General Assembly: Biometric Information Privacy Act (740 ILCS 14) – Full text of BIPA including 2024 amendment limiting per-violation damages

[24] Washington Legislature: HB 1155 – My Health My Data Act – Legislative text including geofencing prohibition and broad PRA

[25] Texas AG: $1.4 Billion Settlement with Meta – Largest biometric privacy settlement in history under Texas CUBI

[26] NetChoice: NetChoice v. Bonta – Challenge to California’s Age-Appropriate Design Code Act on First Amendment grounds

[27] MultiState: Comprehensive Privacy Laws Taking Effect in 2026 – Tracker of new state privacy laws and children’s social media restrictions

[28] Global Privacy Control – Technical specification for universal opt-out preference signals recognized by 11+ state privacy laws

[29] IAPP: New Year, New Rules – 2026 State Privacy Requirements – Overview of state privacy requirements taking effect in 2026

[30] Perkins Coie: Privacy Law Recap 2024 – State Consumer Privacy Laws – Year-end summary of 2024 state privacy law developments and enforcement trends

[31] Carmody Law: Connecticut AI and Data Privacy Updates Effective July 1, 2026 – SB 1295 amendments: 35,000 consumer threshold, neural data as sensitive data, profiling and LLM disclosure requirements

[32] Byte Back Law: Texas Files First Privacy Law Enforcement Action (January 2025) – Allstate/Arity TDPSA complaint: precise geolocation data processing without consent, 45+ million consumers

[33] Holland & Knight: Privacy and Cybersecurity Legislation in Texas (February 2026) – TRAIGA AI governance Act effective January 2026; Texas Genomic Act HB 130 (May 2025) foreign adversary genome data restrictions

[34] McDonald Hopkins: Texas S.B. 1188 EHR Data Localization Law – US-only storage requirement effective January 1 2026, AI clinical decision-making requirements, offshore access rules

[35] ArentFox Schiff: New State Privacy Laws – Second Half of 2025 – Texas SB 2420 App Store Accountability Act: age verification and parental consent requirements; injunction issued December 23 2025 by W.D. Texas

[36] Hunton: U.S. Supreme Court Upholds Adult Entertainment Website Age Verification Law – Free Speech Coalition v. Paxton (June 27, 2025): 6–3 ruling upheld Texas H.B. 1181 under intermediate scrutiny; removed principal federal obstacle to state age-verification laws for adult content

[37] Hunton: Alabama Enacts App Store Accountability Act Requiring Age Verification – HB 161 signed February 2026; effective January 1, 2027; four age categories, verified parent account, verifiable parental consent for downloads/in-app purchases

[38] Wikipedia: Social Media Age Verification Laws in the United States – Nebraska LB 383 (effective July 1, 2026); state-by-state status, enacted/enjoined/in-force table

[39] GBH News: Mass. House Passes Bill to Ban Kids Under 14 from Social Media (April 8, 2026) – 129–25 vote; under-14 ban, parental consent for 14–15; age verification mandate; cellphone ban during school day; awaits Senate

[40] EFF: The Year States Chose Surveillance Over Safety, 2025 in Review – Wisconsin AB 105 veto (April 2026, Evers “violation of personal privacy”); broader state age-verification civil-liberties critique

[41] Mayer Brown: Oklahoma Enacts Comprehensive Consumer Data Privacy Law (March 2026) – SB 546 signed March 20, 2026 by Gov. Stitt; effective January 1, 2027; OCDPA; Virginia template; AG-only enforcement; civil penalties up to $7,500 per violation

[42] DLA Piper: Alabama Becomes 21st State to Enact Comprehensive Privacy Law (April 2026) – HB 351 signed April 17, 2026 by Gov. Ivey (House 104–0, Senate 34–0); effective May 1, 2027; APDPA; affirmative consent for sensitive data including geolocation, health, citizenship; departures from Virginia template in thresholds, sale definition, exemptions

[43] Troutman: Proposed State Privacy Law Update (April 20, 2026) – Virginia SB 338 signed (precise geolocation sale prohibition); Nebraska LB 838 signed (Age-Appropriate Online Design Code amendment, broadens applicability); Maryland HB 711 (immigration enforcement provision)

[44] EFF: Utah’s New Law Targeting VPNs Goes Into Effect May 6th (April 2026) – Senate Bill 73 signed by Gov. Cox March 19 2026, effective May 6 2026; first US state law to target VPN circumvention of age verification; physical-location liability standard; speech restriction on VPN instructions; First Amendment and Commerce Clause concerns

[45] TechRadar: Wisconsin Scraps VPN Ban from Age Verification Bill (February 2026) – AB 105 amended February 19 2026 to remove VPN provision after digital-rights pushback; Rep. Brent Jacobson statement (“the VPN provision went too far”); residual age-verification bill vetoed by Gov. Evers April 3, 2026, who proposed device-based age verification as a privacy-protective alternative

[46] TechRadar: VPN Usage at Risk in Michigan Under New Proposed Adult Content Law – HB 4938 (Anticorruption of Public Morals Act) introduced September 11, 2025; ISP monitoring and blocking of VPNs/proxies/encrypted tunnels; $500,000 civil penalty; not scheduled for hearing

[47] Morrison Foerster: New York and California Enact Landmark AI Companion Laws (2026) – California SB 243 (signed October 13, 2025, effective January 1, 2026): companion-chatbot safeguards, AI disclosure to minors, three-hour break reminders, suicide/self-harm crisis-referral protocol, private right of action; New York Gen. Bus. Law §1700 et seq. (effective November 5, 2025): similar duties, AG-only enforcement

[48] Future of Privacy Forum: Understanding the New Wave of Chatbot Legislation, California SB 243 and Beyond – Analysis of the emerging AI companion chatbot regulatory category and additional states modeling SB 243 in 2026 sessions

[49] Troutman: Proposed State Privacy and AI Law Update (May 18, 2026) – Weekly tracker of pending state privacy/AI bills; Connecticut SB 4 (data-broker registration, geolocation-sale ban, facial recognition); Oregon precise-geolocation (1,750-ft) sale ban; Virginia SB 338 signed; Illinois SB 315 frontier-AI transparency awaiting enactment; ~300 AI and ~180 privacy bills across 2026 sessions

[50] Super Lawyers: Pornography Age-Verification Laws, State-by-State After the SCOTUS Ruling – State-by-state roster of adult-content age-verification statutes and status (~24–25 states in force as of 2026: incl. Louisiana, Arkansas, Virginia, Utah, Montana, Texas, North Carolina, Indiana, Idaho, Florida, Kentucky, Nebraska, Georgia, Alabama, Kansas, Oklahoma, Mississippi, South Carolina, South Dakota, Wyoming, North Dakota, Missouri, Arizona, Ohio, Tennessee); substantial-portion (33.3%) thresholds; verification methods and litigation status

[51] Wikipedia: Social Media Age Verification Laws in the United States – State-by-state social-media minor/age-assurance laws and current status (enacted / enjoined / in force): Utah, Texas (SCOPE Act), Florida (HB 3), Ohio, Arkansas, Georgia, Virginia (SB 854), Tennessee, Mississippi, Louisiana, Nebraska (LB 383), Alabama; NetChoice litigation tracking

[52] Congressional Research Service: Geofence and Keyword Searches, Reverse Warrants and the Fourth Amendment (R48852) – Notes that Utah has enacted a statute generally requiring a warrant for geofences and other reverse searches; circuit split and pending Supreme Court review on geofence/reverse-search warrants. California’s CalECPA (warrant for electronic communications, metadata, and device data) is detailed on the directory’s California page

[53] EFF: Open-Records Laws Reveal ALPRs’ Sprawling Surveillance, Now States Want to Block What the Public Sees (April 2026) – State ALPR regulation (~16 states; ~8 retention limits, ~6 use restrictions); Flock Safety network controversy; Washington SB 6002 (21-day deletion, signed March 30, 2026), Oregon SB 1516 (30-day retention, signed March 31, 2026), California SB 34 (60-day CHP retention + pending out-of-state/federal sharing limit); states shielding ALPR data from public records

[54] Tech Policy Press: Status of State Laws on Facial-Recognition Surveillance (2026) – ~15 states limit police facial recognition; seven strongest (Colorado, Maryland, Maine, Montana, Utah, Virginia, Washington); Montana/Utah first to require a warrant; Maryland strongest (defendant notice); Virginia warrant-audit-reporting law effective July 1, 2026; Alabama, Illinois, Minnesota, Massachusetts, New Jersey, Vermont add limits; 16+ city bans; Illinois HB 5521 statewide-ban proposal

[55] Congressional Research Service: Law Enforcement and Technology, Use of Unmanned Aircraft Systems (R47660) – At least 18 states require a search warrant for law-enforcement drone surveillance (AK, FL, ID, IL, IN, IA, ME, MT, NV, NC, ND, OR, TN, TX, UT, VT, VA, WI); ~24 states have drone-privacy legislation overall; common exigent-circumstances and search-and-rescue exceptions

[56] EFF Street-Level Surveillance: Cell-Site Simulators / IMSI Catchers – At least a dozen states require a probable-cause warrant for cell-site-simulator use (incl. California, Washington, Utah, Virginia, Illinois, Minnesota, Tennessee); Maryland warrant requirement via court decision; technology and Fourth-Amendment analysis

[57] Massachusetts Legislature: House Passes Landmark Data Privacy Legislation (June 4, 2026) – Massachusetts Consumer Data Privacy Act (H.5472) passed the House 146–0 on June 4, 2026; data minimization, access/correction/deletion/portability, opt-out of targeted advertising, ban on sale of precise geolocation, ban on targeted advertising to minors, AG rulemaking, private right of action against largest data holders (100,000-consumer threshold); now to conference with Senate version (S.2608, passed 40–0); not yet law

[58] Kean Miller: Louisiana’s Comprehensive Data Privacy Law (SB 386 / Act 502) – Louisiana Data Privacy Act signed as Act 502 on May 29, 2026, effective January 1, 2027; thresholds ($25M revenue / 75,000 consumers / 50% revenue from sale); temporary 30-day cure period sunsetting July 31, 2027; AG-exclusive enforcement, no private right of action; treble damages for willful violations

[59] CT Mirror: Consumer Data Privacy Bill Gets Final Passage in CT House (May 2026) – Connecticut SB 4 passed the House 141–6 and was signed into law; amends the Connecticut Data Privacy Act and adds a data-broker registration regime, geolocation-sale ban, and facial-recognition provisions

[60] Vermont Business Magazine: Legislature Passes Data Privacy Bill, S.71 (May 2026) – Vermont Data Privacy and Online Surveillance Act passed the Senate (29–0, 2025) and House (129–3, May 26, 2026), Senate concurred May 29, 2026; awaiting Governor Phil Scott (effective January 1, 2028 if signed); private right of action stripped (after his June 2024 veto of H.121); geofencing-near-clinics ban retained

[61] Maine Morning Star: Maine Rejects Comprehensive Data Privacy Law, Again (April 2026) – Maine Online Data Privacy Act (LD 1822), modeled on Maryland’s MODPA, failed in the House on April 13, 2026 (lost by five votes); second consecutive legislature to fail amid business pushback; bill placed in Legislative Files (dead)

[62] Office of Governor Lamont: Legislation Establishing Youth Online Safety Protections and AI Regulations (June 2, 2026) – SB 5 / Public Act 26-15, the Connecticut Artificial Intelligence Responsibility and Transparency Act (CART Act); social media age verification for minors (under 18), parental consent for algorithmic feeds, default one-hour daily personalized-content limit, 9 p.m.–8 a.m. notification curfew, immediate deletion of age-verification data; youth provisions effective January 1, 2028; AI companion chatbot rules effective January 1, 2027; automated employment decision tool obligations

[63] IAPP: Notable AI, Privacy Bills Hit Finish Line in Illinois, Connecticut and New York (June 2026) – Illinois Children’s Online Social Media Safety Act (HB 5511, “Digital Age Assurance”), OS-level age setting, minor feed/notification limits, AG enforcement, 2028 effective date, passed both chambers June 3 2026 awaiting Gov. Pritzker; New York Safe By Design Act (FY2027 budget, Sen. Gounardes), default design protections for minors on social-media/gaming/messaging platforms without age verification; Connecticut CART Act

[64] WRAL: “Addictive” Social Media Ban for Some Teens Heads to NC Senate Committee (June 2026) – North Carolina HB 301 (House-passed 106–6 in 2025); bans accounts for under-14s, parental consent at 14–15, platform age verification, $50,000-per-violation civil penalty and up to $10,000 damages per minor; rewritten early June 2026 to cover only “addictive” algorithmic platforms; adds AI-literacy standards for schools; pending in the state Senate, not yet enacted

[65] CNBC: Meta Must Pay $375 Million for Violating New Mexico Law in Child Exploitation Case (March 24, 2026) – Santa Fe County jury verdict under the NM Unfair Practices Act ($5,000 max per violation); first US trial verdict against a social-media platform over child exploitation; abatement phase opened May 4, 2026 seeking public-nuisance declaration, up to $3.7B, and platform design changes (mandatory age verification, predator removal, encrypted-messaging limits for minors)

[66] AVPA: US State Age-Assurance Laws for Social Media – State-by-state tracker. Hawaii 2026 session: SB 3001 (AI-companion safety act) passed and enrolled to Gov. Green May 8, 2026, awaiting action; SB 2761 (under-16 social-media ban) deferred indefinitely over free-speech concerns; HB 1212 (adult-content age verification) carried over without enactment