US State Privacy Laws

22 states, no federal law, and an expanding patchwork

← Back to Privacy Law Directory

Overview

As of May 2026, 22 US states have enacted comprehensive consumer privacy laws — Oklahoma (SB 546, signed March 20, 2026) and Alabama (HB 351, signed April 17, 2026) are the two most recent additions, both with January 1, 2027 effective dates and May 1, 2027 effective date respectively. Some tallies count 21 by excluding Florida from the “comprehensive” group due to its $1B+ revenue threshold; both Oklahoma and Alabama are uniformly counted in. The United States has no federal comprehensive privacy law (the American Privacy Rights Act was introduced in 2024 but failed to advance), leaving a growing patchwork of state-level legislation as the primary framework governing consumer data protection in the country.[1]

The state privacy law landscape is dominated by the “Virginia model,” a template established by the Virginia Consumer Data Protection Act (VCDPA) in 2021 and subsequently adopted by 15 or more states. The model’s defining characteristics are: attorney general–only enforcement, no private right of action, opt-in consent for sensitive data processing, opt-out consent for general processing, and data protection assessment requirements for high-risk activities.[2]

California’s framework differs significantly from the Virginia model adopted by most states. The CCPA/CPRA created the California Privacy Protection Agency (CPPA) – the first and only dedicated state privacy enforcement agency – alongside the broadest consumer rights, a limited private right of action for data breaches, and the most detailed implementing regulations of any state. For a comprehensive treatment of California’s framework, see the California page.

For federal privacy and surveillance laws, see the US Federal page.

Comparison Table: All 22 States

# State Law Effective Cure Period Private Right of Action
1 California CCPA/CPRA Jan 2020 / Jan 2023 30 days (limited) Yes (data breaches only)
2 Virginia VCDPA Jan 2023 30 days No
3 Colorado CPA Jul 2023 Expired Jan 2025 No
4 Connecticut CTDPA Jul 2023 Expired Dec 2024 No
5 Utah UCPA Dec 2023 30 days No
6 Iowa ICDPA Jan 2025 90 days No
7 Indiana ICDPA Jan 2026 30 days (permanent) No
8 Tennessee TIPA Jul 2025 60 days No
9 Montana MTCDPA Oct 2024 Expired early 2025 No
10 Texas TDPSA Jul 2024 30 days No
11 Oregon OCPA Jul 2024 30 days No
12 Delaware DPDPA Jan 2025 60 days No
13 Florida FDBR Jul 2024 45 days No (limited for children)
14 New Hampshire NHPA Jan 2025 Expired Dec 2025 No
15 New Jersey NJDPA Jan 2025 30 days (18-month transition) No
16 Kentucky KCDPA Jan 2026 30 days (permanent) No
17 Maryland MODPA Oct 2025 None specified No
18 Minnesota MCDPA Jul 2025 Expired Jan 2026 No
19 Nebraska NDPA Jan 2025 30 days (permanent) No
20 Rhode Island RIDTPPA Jan 2026 None No
21 Oklahoma OCDPA (SB 546) Jan 2027 30 days (sunsets) No
22 Alabama APDPA (HB 351) May 2027 30 days No

State-by-State Summaries

California – CCPA/CPRA

California’s framework is covered in detail on the California page. In brief: the CCPA (2018) as amended by the CPRA (2020) created the nation’s first dedicated privacy enforcement agency (CPPA) alongside the rights and protections described in the overview above. New regulations on automated decision-making, insurance data, and cybersecurity audits took effect January 1, 2026.[3]

Beyond the comprehensive law: 4th Amendment / surveillanceCalECPA requires a warrant for electronic communications, metadata, and device data, the strongest state electronic-privacy statute; plus the Reader Privacy Act and CalOPPA. Data brokers — the DELETE Act and DROP one-stop deletion platform. AI — SB 243 companion-chatbot safeguards (in force Jan 1, 2026) and the CCPA ADMT regulations. Age verification — CAADCA (enjoined) and SB 976 social-media “addiction” law (permanently enjoined December 2025); AB 1043 OS-level age assurance (effective Jan 1, 2027). No adult-content age-verification statute. Police surveillance tech — CalECPA requires a warrant for electronic communications, metadata, and device data (and covers cell-site simulators); ALPR data held by the Highway Patrol is capped at 60 days (SB 34), with pending limits on out-of-state/federal sharing. Proposed: AB 1883 (workplace surveillance tools), AB 1898 (workplace AI disclosure), plus CIPA, data-broker, precise-geolocation, and ~10 AI bills.[52][53][47][38][49]

Virginia – VCDPA

The Virginia Consumer Data Protection Act, signed March 2, 2021 and effective January 1, 2023, was the second comprehensive state privacy law and established the template that most subsequent states followed. Enforced exclusively by the Virginia Attorney General with a 30-day cure period. Applies to entities processing data of 100,000+ consumers or 25,000+ consumers where 50%+ of revenue comes from data sales. Standard consumer rights (access, correct, delete, portability, opt-out of sale/targeted advertising/profiling) with opt-in required for sensitive data.[4] In April 2026, the legislature enacted SB 338, prohibiting controllers from selling or offering for sale precise geolocation data.[43]

Beyond the comprehensive law: Adult-content age verification — Virginia requires age verification for sites with a substantial portion of material harmful to minors (in force), though a 2026 age-assurance enforcement/rulemaking effort was temporarily blocked on First Amendment grounds. Social media — SB 854 imposes a default one-hour-per-day social-media limit for users under 16 absent parental consent (in force). No standalone app-store or VPN statute. Police surveillance tech — Virginia restricts police facial recognition via a warrant-audit-reporting law effective July 1, 2026, and requires warrants for drone surveillance and cell-site simulators.[50][51][54][55]

Colorado – CPA

The Colorado Privacy Act, signed July 7, 2021 and effective July 1, 2023, was the third comprehensive state privacy law. Colorado was one of the first states to require recognition of universal opt-out mechanisms (effective July 1, 2024). The cure period expired January 1, 2025, giving the AG immediate enforcement discretion. Children’s protection amendments expanding under SB 24-041 take effect July 1, 2026. Enforced by the Colorado Attorney General and District Attorneys.[5]

Beyond the comprehensive law: AI — the Colorado Artificial Intelligence Act (SB 24-205), the first US comprehensive AI law, regulates “high-risk” AI systems and algorithmic discrimination with developer/deployer duties; its effective date was pushed to June 30, 2026. No adult-content age-verification, social-media, app-store, or VPN statute; minors’ protections run through the CPA amendments. Police surveillance tech — Colorado is among the seven states with the strongest limits on police facial recognition.[49][54]

Connecticut – CTDPA

The Connecticut Data Privacy Act, signed May 10, 2022 and effective July 1, 2023, is among the more consumer-friendly state laws due to its absence of a revenue threshold. Required honoring universal opt-out preference signals since January 1, 2025. Significant 2024–2025 amendments added consumer health data protections and children’s online safety provisions, including a prohibition on features designed to increase minors’ usage such as endless scrolling. Cure period expired December 31, 2024.[6] A further major overhaul (SB 1295, effective July 1, 2026) substantially expands the law: the applicability threshold is lowered from 100,000 to 35,000 consumers (or any entity that sells personal data regardless of volume); neural data is added to the sensitive data category requiring opt-in consent; and privacy notices must disclose whether a controller engages in profiling and whether personal data is used to train large language models.[31]

Beyond the comprehensive law: children’s online-safety provisions in the CTDPA bar design features that increase minors’ usage (e.g., endless scrolling). No standalone adult-content age-verification, social-media-ban, app-store, or VPN statute. Proposed: SB 4 would add a California-style data-broker registration regime, ban the sale of geolocation data, and add facial-recognition provisions.[49]

Utah – UCPA

The Utah Consumer Privacy Act, signed March 24, 2022 and effective December 31, 2023, has been characterized as among the most business-friendly of the early comprehensive privacy laws. Uses an opt-out model for both general and sensitive data (no opt-in required for sensitive data, unlike most states). Higher threshold: $25 million annual revenue AND processing data of 100,000+ consumers. Does not require data protection assessments. Utah AI Policy Act provisions updating the UCPA framework take effect July 1, 2026.[7]

Beyond the comprehensive law: Utah is the most active state across this directory’s non-privacy topics. Adult-content age verification — in force. Social media — the Social Media Regulation Act (SB 152 / HB 311, re-enacted as SB 194 / HB 464) requires parental consent for minors and imposes a default overnight curfew; enjoined, on appeal. App store — the App Store Accountability Act (SB 142), the first such law in force (May 2026), requires app-store age verification and parental consent for minors. VPNSB 73 is the first state statute to write VPN circumvention into an age-verification law (a Utah-located user is covered behind a VPN; sites may not explain VPN use), effective May 6, 2026 but currently on hold pending challenge. 4th Amendment / surveillance — Utah’s electronic-information privacy statute and its warrant requirement for geofence and other reverse searches are among the strongest state protections; Utah was also among the first states to require a warrant for police facial recognition, and it requires warrants for drone surveillance and cell-site simulators and regulates ALPRs. AI — the AI Policy Act mandates disclosure of generative-AI interactions.[50][51][44][52][54][55]

Iowa – ICDPA

The Iowa Consumer Data Protection Act, signed March 29, 2023 and effective January 1, 2025, is among the most business-friendly comprehensive privacy laws enacted to date. It does not grant consumers the right to correct personal data or opt out of profiling. Uses opt-out (not opt-in) for sensitive data. Features a 90-day cure period – one of the longest of any state. No data protection assessment requirement. Enforced exclusively by the Iowa Attorney General.[8]

Beyond the comprehensive law: Iowa has no separate adult-content age-verification, social-media, app-store, VPN, biometric, or AI statute; its privacy regime is limited to the business-friendly ICDPA. Police surveillance tech — Iowa requires a warrant for drone surveillance.[55]

Indiana – ICDPA

The Indiana Consumer Data Protection Act, signed May 1, 2023 and effective January 1, 2026, largely mirrors the Virginia model. Applies to entities processing data of 100,000+ Indiana residents or 25,000+ where 50%+ of revenue is from data sales. Features a permanent 30-day cure period that does not sunset. Standard consumer rights package enforced by the Indiana Attorney General.[9]

Beyond the comprehensive law: Adult-content age verification — Indiana’s SEA 17 (effective 2024) requires age verification for sites with a substantial portion of material harmful to minors; enforcement was briefly paused by litigation. No social-media, app-store, or VPN statute. Police surveillance tech — Indiana requires a warrant for drone surveillance.[50][55]

Tennessee – TIPA

The Tennessee Information Protection Act, signed May 11, 2023 and effective July 1, 2025, is the first state to formally incorporate the NIST Privacy Framework as a compliance tool – alignment with the framework serves as an affirmative defense against enforcement actions. Features among the highest applicability thresholds: $25 million revenue AND 175,000+ consumers. 60-day cure period. Fully exempts state-licensed insurance companies.[10]

Beyond the comprehensive law: Adult-content age verification — in force (2025). Social media — the Protecting Children from Social Media Act requires age verification and parental consent for minors, in force January 1, 2025. No app-store or VPN statute. Police surveillance tech — Tennessee requires warrants for drone surveillance and cell-site simulators.[50][51][55][56]

Montana – MTCDPA

The Montana Consumer Data Privacy Act, signed May 19, 2023 (passed unanimously) and effective October 1, 2024, reflects Montana’s small population with a low applicability threshold of 50,000 consumers. Significant 2025 amendments (SB 297, effective October 1, 2025): removed all applicability thresholds for minor protections under age 18, eliminated the Gramm-Leach-Bliley financial institution exemption, and closed the cure period six months early.[11]

Beyond the comprehensive law: Adult-content age verification — Montana’s SB 544 requires age verification for sites with material harmful to minors (in force). The MTCDPA’s minor protections apply with no thresholds for users under 18. No social-media, app-store, or VPN statute. Police surveillance tech — Montana was among the first states to require a warrant for police facial recognition, requires warrants for drone surveillance, and regulates ALPRs.[50][54][55]

Texas – TDPSA

The Texas Data Privacy and Security Act, signed June 18, 2023 and effective July 1, 2024, covers the largest state by population after California. Texas stands out for having no revenue threshold and no minimum consumer data processing threshold – it applies to all non-exempt entities that conduct business in Texas and process or sell personal data (with a small business exemption). The Texas AG has been among the most active enforcers, announcing a $1.4 billion settlement with Meta in July 2024 for CUBI biometric violations – the largest biometric privacy settlement in history – and filing the first TDPSA enforcement action on January 13, 2025, against Allstate and its subsidiary Arity for processing precise geolocation data from 45+ million consumers without consent.[12][32]

Texas has enacted several additional privacy-adjacent laws since the TDPSA. The Texas Responsible Artificial Intelligence Governance Act (TRAIGA), effective January 1, 2026, imposes obligations on AI developers and deployers and requires government entities to clearly disclose AI interactions to the public before or at the time of the interaction.[33] The Electronic Health Records Data Localization Law (S.B. 1188), signed June 20, 2025 and effective January 1, 2026, mandates that all electronic health records be physically stored on servers located in the United States — offshore storage is banned, though offshore access with safeguards remains permissible — and imposes requirements on AI tools used in clinical decision-making.[34] The Texas Genomic Act of 2025 (HB 130), signed May 2025, restricts the collection and transfer of genome sequencing data to entities connected to designated foreign adversaries including China, Russia, Iran, Cuba, North Korea, and Venezuela.[33] Finally, the App Store Accountability Act (SB 2420), which would have required app stores to verify users’ ages and obtain parental consent before minors could download apps or make in-app purchases, was enjoined on December 23, 2025 by the U.S. District Court for the Western District of Texas and is currently blocked pending litigation.[35]

More state laws by topic: Adult-content age verification — HB 1181, upheld by the U.S. Supreme Court in Free Speech Coalition v. Paxton (June 27, 2025) and in force (Texas also mandates a health warning). Social media — the SCOPE Act (HB 18) requires age verification and parental tools for known minors on large platforms; portions have been enjoined in ongoing First Amendment litigation. Biometric — CUBI (the basis of the $1.4B Meta settlement). No VPN statute. Police surveillance tech — Texas requires a warrant for drone surveillance.[36][51][55]

Oregon – OCPA

The Oregon Consumer Privacy Act, signed July 18, 2023 and effective July 1, 2024 (nonprofits: July 1, 2025), is one of the few comprehensive state privacy laws that covers nonprofit organizations. Features the broadest definition of “sensitive data” among all states – uniquely including transgender or non-binary status and crime victim status. Requires controllers to disclose the specific third parties (not just categories) that received a consumer’s data. Penalties up to $7,500 per violation.[13]

Beyond the comprehensive law: Oregon has no separate adult-content age-verification, social-media, app-store, or VPN statute; its broad “sensitive data” definition and specific-third-party disclosure rule are its distinctive features. Police surveillance tech — Oregon’s SB 1516 (signed March 31, 2026) caps police ALPR retention at 30 days and limits inter-agency sharing, and Oregon requires a warrant for drone surveillance. Proposed: an amendment barring the sale of precise geolocation within a 1,750-foot radius.[53][55][49]

Delaware – DPDPA

The Delaware Personal Data Privacy Act, signed September 11, 2023 and effective January 1, 2025, is considered one of the strongest state privacy laws. Covers nonprofits and institutions of higher education (unlike most states). Special protections for minors: parental consent required for those under 13, direct consent from teens aged 13–17 for targeted advertising or data sales. Low threshold: 35,000 consumers or 10,000 with 20%+ revenue from data sales.[14]

Beyond the comprehensive law: Delaware has no separate adult-content age-verification, social-media, app-store, or VPN statute; minors are protected through the DPDPA (parental consent under 13; teen consent 13–17 for targeted ads/sales).

Florida – FDBR

The Florida Digital Bill of Rights, signed June 6, 2023 and effective July 1, 2024, has the narrowest applicability of any state – it applies only to entities with $1 billion+ in annual gross revenue, meaning very few companies are covered. Includes unique provisions prohibiting government employees from contacting social media platforms to request content removal. Some trackers do not classify it as truly “comprehensive” due to its narrow scope.[15]

Beyond the comprehensive law: Age verification / social media — Florida’s HB 3 is among the most aggressive in the country, prohibiting accounts for users under 14 and requiring parental consent at 14–15, plus age verification for sites with material harmful to minors; a June 2025 injunction was stayed on appeal and key provisions are currently enforceable pending litigation. Free speech — the FDBR bars government employees from contacting platforms to request content removal. No app-store or VPN statute. Police surveillance tech — Florida requires a warrant for drone surveillance.[51][50][55]

New Hampshire – NHPA

The New Hampshire Privacy Act, signed March 6, 2024 and effective January 1, 2025, features a strong anti-dark-patterns provision: consent must be a “clear affirmative act” and cannot be obtained through acceptance of general terms, hovering, closing content, or dark patterns. Heightened protections for teens aged 13–16 (targeted advertising and data sales prohibited without consent). Cure period expired December 31, 2025.[16]

Beyond the comprehensive law: New Hampshire has no separate adult-content age-verification, social-media, app-store, or VPN statute; its distinctive features are the strong anti-dark-patterns consent rule and teen (13–16) protections in the NHPA. Police surveillance tech — New Hampshire restricts government use of ALPRs.[53]

New Jersey – NJDPA

The New Jersey Data Protection Act, signed January 16, 2024 and effective January 15, 2025, is the first state to include both an opt-in requirement for profiling of children AND apply minor protections up to age 17 (not just under 13 as in COPPA). Covers nonprofits with no nonprofit exemption. Broad AG rulemaking authority. No revenue threshold. 18-month transitional enforcement period with 30-day cure window through approximately July 2026.[17]

Beyond the comprehensive law: New Jersey has no separate adult-content age-verification, social-media, app-store, or VPN statute; its distinctive feature is the strongest minor protection of any comprehensive law, opt-in for profiling of, and protections extending to, anyone under 18. Police surveillance tech — New Jersey imposes warrant/notice limits on police facial recognition.[54]

Kentucky – KCDPA

The Kentucky Consumer Data Protection Act, signed April 4, 2024 and effective January 1, 2026, largely mirrors the Virginia model. Features a permanent (non-sunsetting) 30-day cure period, one of the most business-friendly enforcement provisions. Standard applicability: 100,000 consumers or 25,000 with 50%+ revenue from data sales. Data protection assessment requirements for higher-risk processing.[18]

Beyond the comprehensive law: Adult-content age verification — Kentucky’s HB 278 requires age verification for sites with material harmful to minors (in force 2024), with a requirement that personal data be deleted after an access review. No social-media, app-store, or VPN statute.[50]

Maryland – MODPA

The Maryland Online Data Privacy Act, signed May 2024 and effective October 1, 2025, is considered one of the most restrictive state privacy laws, imposing significant compliance requirements. Key distinctions: (1) prohibits the sale of sensitive data entirely, regardless of consent – a unique approach where consent does not override the prohibition; (2) strict data minimization requiring collection to be “reasonably necessary and proportionate”; (3) unique anti-discrimination provision; (4) prohibits advertising/sale of data for anyone under 18; (5) regulates consumer health data including gender-affirming treatment and reproductive health data.[19]

Beyond the comprehensive law: Maryland has no separate adult-content age-verification, social-media, app-store, or VPN statute; its data-minimization mandate, outright ban on selling sensitive data (consent cannot override), and under-18 advertising/sale ban are its distinctive features. Police surveillance tech — Maryland enacted what are widely regarded as the strongest police facial-recognition rules in the country (including notice to defendants when the technology was used) and imposes a warrant requirement for cell-site simulators. Proposed: HB 711, addressing data use in immigration enforcement.[54][56][49]

Minnesota – MCDPA

The Minnesota Consumer Data Privacy Act, signed May 24, 2024 and effective July 31, 2025, contains a unique right to question profiling – including the right to ask for results of profiling and challenge inaccurate information, especially regarding automated decisions affecting access to jobs, housing, education, insurance, or essential services. First state to require controllers to designate a chief privacy officer and include their contact information in privacy policies. The 30-day cure period expired January 31, 2026, giving the AG immediate enforcement discretion without a mandatory cure window. Minnesota and Colorado are expected to emerge as active enforcement states in 2026. Penalties up to $7,500 per violation.[20]

Beyond the comprehensive law: Minnesota has no separate adult-content age-verification, social-media, app-store, or VPN statute; its distinctive features are the right to question profiling/automated decisions and the mandatory chief-privacy-officer designation. Police surveillance tech — Minnesota imposes limits on police facial recognition and requires warrants for drone surveillance and cell-site simulators.[54][55][56]

Nebraska – NDPA

The Nebraska Data Privacy Act, signed April 17, 2024 and effective January 1, 2025, has no revenue threshold and no minimum consumer data processing threshold (similar to Texas), applying broadly to any person conducting business in Nebraska that processes or sells personal data – with a small business exemption per the federal Small Business Act. The exemption does not apply if the business sells sensitive data without consent. Permanent 30-day cure period. Known child data classified as sensitive data requiring opt-in consent.[21] In April 2026, Governor Pillen signed LB 838, amending Nebraska’s Age-Appropriate Online Design Code Act and broadening its applicability.[43]

Beyond the comprehensive law: Adult-content age verification — in force (2024). Social media — LB 383 (Parental Rights in Social Media Act) requires age verification and parental consent for under-18s, effective July 1, 2026, alongside the Age-Appropriate Online Design Code. No app-store or VPN statute.[50][51]

Rhode Island – RIDTPPA

The Rhode Island Data Transparency and Privacy Protection Act, transmitted without the governor’s signature June 28, 2024 and effective January 1, 2026, features a unique two-tiered applicability structure: Tier One applies transparency requirements to any commercial website or ISP that sells personally identifiable information; Tier Two applies full requirements to for-profit entities processing data of 35,000+ Rhode Island residents. Rhode Island is among the strictest states with no cure period – businesses must be in compliance from day one. Penalties up to $10,000 per violation (higher than the standard $7,500).[22]

Beyond the comprehensive law: Rhode Island has no separate adult-content age-verification, social-media, app-store, or VPN statute; its distinctive features are the two-tier applicability, the absence of any cure period, and the higher $10,000 penalty.

Oklahoma – OCDPA (SB 546)

The Oklahoma Consumer Data Privacy Act, signed by Governor Kevin Stitt on March 20, 2026 and effective January 1, 2027, follows the Virginia template. Applies to controllers processing data of 100,000+ Oklahomans, or 25,000+ where 50%+ of revenue derives from data sales. Standard consumer rights (access, correct, delete, opt out of targeted advertising / sale / profiling) and opt-in for sensitive data. Enforced exclusively by the Oklahoma Attorney General with civil penalties up to $7,500 per violation; 30-day cure period that sunsets after an initial period.[41]

Beyond the comprehensive law: Adult-content age verification — Oklahoma requires age verification for sites with material harmful to minors (in force 2024). No social-media, app-store, or VPN statute.[50]

Alabama – APDPA (HB 351)

The Alabama Personal Data Protection Act, signed by Governor Kay Ivey on April 17, 2026 (passed unanimously: House 104–0, Senate 34–0) and effective May 1, 2027, made Alabama the most recent state to enact a comprehensive privacy law. Affirmative consumer consent is required for processing sensitive data, defined to include racial/ethnic origin, religious beliefs, health conditions, sexual orientation, citizenship status, and precise geolocation. Departures from the Virginia template appear in applicability thresholds, the definition of “sale,” and entity-level exemptions. AG-only enforcement; 30-day cure period.[42]

Beyond the comprehensive law: Adult-content age verification — Alabama requires age verification for sites with material harmful to minors (in force 2024) and mandates a health warning. App store — the App Store Accountability Act (HB 161), signed February 2026 and effective January 1, 2027, defines four age brackets, requires minor accounts to be affiliated with a verified parent, and conditions downloads/in-app purchases on verifiable parental consent. No VPN statute. Police surveillance tech — Alabama imposes warrant/notice limits on police facial recognition.[50][37][54]

Sector-Specific State Privacy Laws

Beyond comprehensive consumer privacy laws, several sector-specific state statutes have had significant impact on privacy enforcement and litigation.

Illinois BIPA (Biometric Information Privacy Act, 2008)

Illinois BIPA is the most litigated privacy statute in the United States. Enacted in 2008, it regulates the collection, use, storage, and destruction of biometric identifiers (fingerprints, retina/iris scans, voiceprints, face geometry scans). BIPA is the only biometric privacy law with a private right of action, which has generated massive litigation: damages of $1,000 per negligent violation and $5,000 per intentional or reckless violation.[23]

A 2024 amendment (SB 2979, signed August 2, 2024) limits damages by redefining repeated collection or transmission of the same biometric data by the same party as a single violation – previously, each individual scan could constitute a separate violation, creating enormous potential liability. Despite this amendment, BIPA remains the most actively litigated privacy statute in the country. Notable settlements include $51.75 million (nationwide class, 2024), $47.5 million (facial recognition), and $8.75 million (student data).[23]

Washington My Health My Data Act (MHMDA, 2023)

Enacted in 2023 and effective March 31, 2024 (large businesses) and June 30, 2024 (small businesses), the MHMDA broadly regulates collection, use, and sale of “consumer health data” – defined expansively to include data used to identify physical or mental health status, including reproductive health, gender-affirming care, and more. Features a broad private right of action with presumptions benefiting plaintiffs; any violation is a per se violation of the Washington Consumer Protection Act. Notably prohibits geofencing around health care facilities. Enacted in response to Dobbs concerns about reproductive health data.[24]

Texas CUBI (Capture or Use of Biometric Identifier Act)

Originally enacted in 2001 (expanded 2009), Texas CUBI regulates biometric identifiers including retina/iris scans, fingerprints, voiceprints, and hand/face geometry. No private right of action – the Texas AG has exclusive enforcement with penalties up to $25,000 per violation. The statute gained national prominence through the $1.4 billion Meta settlement described above, which specifically concerned Meta’s unauthorized capture of facial geometry data through Facebook’s photo-tagging feature in violation of CUBI.[25]

California Age-Appropriate Design Code Act (CAADCA / AB 2273)

Enacted September 15, 2022, the CAADCA requires online services “likely to be accessed by children” to configure default privacy settings to high privacy, assess whether algorithms or data collection could harm children, and use age-appropriate language. Modeled on the UK’s Age-Appropriate Design Code. However, a preliminary injunction was issued in September 2023 by the Northern District of California in NetChoice v. Bonta, blocking enforcement on First Amendment grounds. The case is on appeal to the Ninth Circuit.[26]

Children’s Social Media and Age Verification Laws

At least 20+ states have enacted laws restricting minors’ social media access, requiring age verification and/or parental consent. Early movers included Arkansas, California, Texas, Florida, Georgia, Louisiana, Mississippi, Tennessee, and Utah. Utah’s App Store Age Verification Law was the first to require app store providers to verify all users’ ages and obtain parental consent for minors’ downloads. Many of these laws face ongoing constitutional challenges on First Amendment grounds; some have been enjoined (Georgia SB 351 preliminarily enjoined June 26, 2025; California SB 976 permanently enjoined December 2025), while others are now in force (Virginia SB 854).[27]

Adult content age verification: Separately, approximately 25 states mandate age verification for accessing adult content. On June 27, 2025 in Free Speech Coalition v. Paxton, the U.S. Supreme Court upheld Texas H.B. 1181 6–3 under intermediate scrutiny, removing the principal federal constitutional obstacle to adult content age verification at the state level. The ruling has accelerated enactment in additional states and shifted remaining First Amendment litigation to as-applied and data-protection grounds.[36]

California’s AB 1043 (Digital Age Assurance Act), signed October 13, 2025 and effective January 1, 2027, takes the most novel approach: it operates at the operating system level, requiring every OS provider (including Linux distributions and SteamOS) to collect age at account setup and expose a real-time API categorizing users into four age brackets (under 13, 13–15, 16–17, 18+) for use by app developers. Texas passed a similar App Store Accountability Act (SB 2420) for age verification and parental consent at the app store level, but that law was enjoined on December 23, 2025 by the Western District of Texas and remains blocked.[35]

2026 legislative wave: The first months of 2026 added several states to the age-verification landscape. Alabama HB 161 (App Store Accountability Act) was signed by Governor Kay Ivey in February 2026 and takes effect January 1, 2027; the Act defines four age categories (under 13; 13–15; 16–17; 18+), requires app stores to affiliate minor accounts with a verified parent, and conditions app downloads and in-app purchases on verifiable parental consent. Nebraska LB 383 (Parental Rights in Social Media Act) takes effect July 1, 2026, requiring platforms to verify all users’ ages and obtain parental consent for anyone under 18. Massachusetts became the first New England state to advance a minimum-age social media bill: on April 8, 2026 the state House passed legislation 129–25 that would prohibit accounts for users under 14, require parental approval for ages 14–15, mandate platform-side age verification, and ban cellphone use during the school day; the bill now awaits Senate consideration. In Wisconsin, Governor Tony Evers vetoed Assembly Bill 105 in April 2026, calling the adult-content age-verification scheme “a violation of personal privacy.”[37][38][39][40]

AI companion chatbots: A parallel 2026 front extends children’s online-safety regulation beyond social media to AI companion chatbots. California SB 243, signed October 13, 2025 and effective January 1, 2026, is the first state law dedicated to companion chatbots: operators must disclose to known minors that they are interacting with AI, issue break reminders at least every three hours, maintain protocols that refer users expressing suicidal ideation or self-harm to crisis services, and take reasonable measures to block sexually explicit output to minors. It carries a private right of action. New York’s AI Companion Models law (Gen. Bus. Law §1700 et seq.), effective November 5, 2025, imposes similar safeguards but is enforceable only by the Attorney General. The two statutes opened a new regulatory category that several additional states began modeling in 2026 sessions.[47][48]

VPN Circumvention — Utah SB 73 and the State VPN Front

Utah SB 73 (Online Age Verification Amendments) — signed by Governor Spencer Cox on March 19, 2026 and effective May 6, 2026 — is the first US state law to legally target VPN use as an age-verification circumvention vector. The Act treats a user as accessing a covered website “from Utah” whenever the user is physically located in Utah, regardless of any VPN, proxy, or geolocation-masking tool, shifting compliance liability onto adult-content sites for users who tunnel in. The law also forbids covered sites from facilitating, encouraging, or providing instructions on VPN use to bypass age verification — a speech restriction the Electronic Frontier Foundation has called “a technical whack-a-mole that likely no company can win,” with comprehensive VPN IP blocklists infeasible at scale. Civil-liberties analysts estimate roughly a 60% probability that the VPN provisions will be struck down on First Amendment or Commerce Clause grounds; legal challenges are expected.[44]

Wisconsin AB 105: Wisconsin briefly advanced a comparable VPN-targeting provision in early 2026, but on February 19, 2026 the bill’s lead sponsor, Rep. Brent Jacobson, agreed to strip the VPN language after pushback from digital-rights groups, VPN providers, and constituents (“the VPN provision went too far”). Governor Evers then vetoed the residual age-verification bill on April 3, 2026, objecting to its “intrusion into the personal privacy of Wisconsin residents” and proposing device-based age verification (verification on the user’s own device, without submitting ID or biometrics to platforms) as a more privacy-protective alternative. No Wisconsin VPN restriction or age-verification mandate is in force.[45]

Michigan HB 4938 (Anticorruption of Public Morals Act): Introduced September 11, 2025 by six Republican representatives, this proposed bill would go substantially further than Utah by directly obligating internet service providers to monitor for and block “circumvention tools,” explicitly including VPNs, proxies, and encrypted tunnels, with civil penalties up to $500,000 per violation. Promotion or sale of circumvention tools is also banned. As of May 2026 the bill has not been scheduled for a hearing.[46]

State Surveillance & Police-Technology Laws

Separate from consumer-privacy statutes, a growing body of state law regulates how state and local government may conduct surveillance, frequently supplying Fourth-Amendment-style warrant protections that federal law does not. These laws apply regardless of whether a state has a comprehensive privacy law, so they are organized here by technology, with the relevant states named under each.

Electronic Data, Geofence & Reverse Warrants

California’s CalECPA requires a warrant for electronic communications, metadata, and device data, the broadest state electronic-privacy statute. Utah enacted the first statute generally requiring a warrant for geofence and other reverse searches and protects stored electronic data. The constitutionality of geofence/reverse-search warrants is the subject of a circuit split and pending Supreme Court review (2026).[52]

Automated License Plate Readers (ALPR)

At least 16 states regulate ALPRs (roughly eight limit retention, six restrict government use). 2026 brought a wave driven by the spread of Flock Safety’s nationwide camera network: Washington’s SB 6002 (signed March 30, 2026) mandates deletion of ALPR data after 21 days; Oregon’s SB 1516 (signed March 31, 2026) caps retention at 30 days and logs and limits inter-agency sharing. California (SB 34) caps Highway Patrol retention at 60 days, and pending legislation would bar sharing ALPR data with out-of-state or federal agencies without a warrant. Maine, New Hampshire, Vermont, Montana, and Arkansas also regulate ALPRs; several states are simultaneously moving to shield ALPR data from public-records disclosure.[53]

Facial Recognition

By 2026, roughly 15 states limit police use of facial recognition. Seven impose the strongest limits: Colorado, Maryland, Maine, Montana, Utah, Virginia, and Washington. Montana and Utah were the first to require a warrant; Maryland’s rules (including notice to defendants when the technology was used) are considered the strongest; Virginia’s warrant-audit-reporting law takes effect July 1, 2026. Alabama, Illinois, Minnesota, Massachusetts, New Jersey, and Vermont add warrant, notice, or serious-crime limits. More than 16 cities ban police use entirely (Milwaukee paused use in February 2026), and Illinois (HB 5521) is weighing a statewide police ban.[54]

Drone (UAS) Surveillance

At least 18 states require a search warrant for law-enforcement drone surveillance: Alaska, Florida, Idaho, Illinois, Indiana, Iowa, Maine, Montana, Nevada, North Carolina, North Dakota, Oregon, Tennessee, Texas, Utah, Vermont, Virginia, and Wisconsin. About 24 states have drone-privacy legislation overall, typically with exceptions for exigent circumstances, search-and-rescue, and similar emergencies.[55]

Cell-Site Simulators (“Stingrays”)

At least a dozen states require a probable-cause warrant before police may deploy a cell-site simulator / IMSI catcher, including California, Washington, Utah, Virginia, Illinois, Minnesota, and Tennessee; Maryland imposes a warrant requirement through court decisions. In California, CalECPA’s electronic-data warrant covers cell-site-simulator use.[56][52]

Government Purchase of Commercial Data

State-level “Fourth Amendment Is Not For Sale”-style limits on government purchase of commercial or location data remain rare, but the trend is building: California’s pending ALPR out-of-state-sharing restriction and 2026 data-broker bills (e.g., Connecticut SB 4, Maryland) point toward more states constraining government access to brokered data and data-broker-to-government transfers.[49]

States Without Comprehensive Privacy Laws

Lacking a comprehensive consumer-privacy statute does not mean a state lacks privacy or surveillance legislation. Many of the states below have enacted adult-content age-verification, social-media, biometric, AI, or VPN-related laws even without an omnibus privacy framework:

Adult-content age-verification states without a comprehensive privacy law: beyond Ohio, Georgia, and North Carolina above, the following have enacted adult-content age-verification laws (in force) without an omnibus privacy statute: Louisiana (the first in the nation, 2023, the model others copied), Mississippi (which also enacted a social-media age-verification law, in litigation), Arkansas (whose Social Media Safety Act was blocked as unconstitutional in NetChoice v. Griffin), Idaho, Wyoming (which covers any amount of adult content), Kansas (a lower 25% threshold), South Carolina, South Dakota, North Dakota, Missouri, and Arizona. The 2025 Supreme Court decision in Free Speech Coalition v. Paxton upheld this model under intermediate scrutiny, accelerating enactment.[50][51][36]

Key Trends (May 2026)

1. The Virginia Model Dominates

Fifteen or more states have followed the template established by Virginia: AG-only enforcement, no private right of action, opt-in for sensitive data, opt-out for general processing, and data protection assessments for high-risk activities. This convergence provides some degree of harmonization across states but entrenches a framework that consumer advocates consider insufficiently protective.[2]

2. California Remains the Outlier

With its dedicated enforcement agency, private right of action, and the broad consumer rights described above, California’s framework is significantly more complex than any other state’s. The CPPA’s 2026 regulations on automated decision-making are the first US state regulations to address this area in detail.[3]

3. Maryland Takes a Distinct Approach

MODPA’s prohibition on selling sensitive data regardless of consent, strict data minimization requirements, and anti-discrimination provisions represent the direction consumer privacy advocacy is pushing. Maryland’s approach represents a different model from the opt-out model toward substantive restrictions on data practices that cannot be overridden by consent.[19]

4. Universal Opt-Out Mechanisms Are Becoming Standard

California, Colorado, Connecticut, Oregon, Delaware, Maryland, Minnesota, Montana, New Hampshire, New Jersey, and Texas now require recognition of universal opt-out preference signals such as the Global Privacy Control (GPC). This standardization reduces friction for consumers and creates a technical expectation that companies must honor browser-level privacy preferences.[28]

5. Children’s Privacy Is a Rapidly Expanding Area

Nearly every new state privacy law includes enhanced protections for minors. Standalone children’s online safety and social media laws are proliferating, with at least nine states enacting restrictions. Age-appropriate design codes, dark pattern prohibitions for minors, and restrictions on targeted advertising to children are becoming standard features of new legislation.[27]

6. No Federal Comprehensive Privacy Law

The American Privacy Rights Act (APRA) was introduced in 2024 with bipartisan support but did not advance. The absence of federal legislation means the patchwork of 20 state laws, with differing thresholds, definitions, consumer rights, and enforcement mechanisms, continues to grow, creating significant compliance complexity for companies operating nationally.[1]

7. Enforcement Is Accelerating

The Texas AG’s $1.4 billion Meta settlement and the CPPA’s expanding enforcement program demonstrate that state-level privacy enforcement has reached a level of financial consequence previously associated only with federal agencies or European DPAs. The expiration of cure periods in Colorado, Connecticut, Montana, New Hampshire, and — as of January 31, 2026 — Minnesota gives AGs immediate enforcement authority without the delay of a mandatory cure window. Texas filed its first TDPSA enforcement action in January 2025 (Allstate/Arity geolocation case); California, Texas, Colorado, Connecticut, Maryland, Minnesota, Oregon, and New Jersey are expected to be the most active enforcement states in 2026.[12][32]

8. OS-Level Age Verification: A New Frontier

California’s AB 1043 (effective January 1, 2027) represents the first attempt by any US state to impose age-verification obligations at the operating system layer rather than on individual apps or platforms. By requiring all OS providers to expose a standardized age-bracket API, California is attempting to create infrastructure that would allow any app to access a user’s age category without each app independently conducting age verification. The approach raises unresolved questions about implementation on multi-user devices and open-source operating systems, and Newsom himself has asked the legislature to address these issues before the 2027 effective date.[31]

9. State-Level VPN Regulation Has Begun

Utah’s SB 73 makes Utah the first US state to write VPN circumvention into its age-verification statute. The model is indirect: rather than banning VPN users, it makes the visited website liable for traffic from a Utah-located user even when the user’s apparent IP is outside Utah, and bars sites from explaining how a VPN works. Wisconsin tried a similar provision and pulled it back. Michigan’s pending HB 4938 takes the more aggressive route of conscripting ISPs to detect and block circumvention tools at the network layer. Whether the Utah model survives constitutional review will determine how aggressively other age-verification states follow.[44]

Pending Legislation

State legislatures introduced roughly 300 AI bills and ~180 consumer-privacy bills in 2026 sessions. The most active themes mirror this directory’s topic list, and the bills below are tracked weekly (e.g., the Troutman “Proposed State Privacy and AI Law Update” series), since status changes frequently.[49]

Data Brokers and Geolocation

Connecticut SB 4 would add a California-style data-broker registration regime, ban the sale of geolocation data, and add facial-recognition provisions to the Connecticut Data Privacy Act. There is a broad multistate trend to prohibit selling precise geolocation: Oregon’s amendment bars sale of geolocation within a 1,750-foot radius, and Virginia’s SB 338 (signed 2026) prohibits controllers from selling precise geolocation under the VCDPA. Several states are also weighing tighter limits on government and law-enforcement purchase of broker data.[49]

AI Transparency and Automated Decisions

Illinois SB 315, approved by the General Assembly and awaiting enactment, is a frontier-AI transparency bill; Illinois, Connecticut, and New York are finalizing some of the most consequential 2026 AI and automated-decision-making provisions. These complement already-enacted measures such as Texas’s TRAIGA (HB 149, effective January 1, 2026) and California’s ADMT regulations.[49]

Age Verification, Social Media, and VPNs

The age-verification wave continues into 2026 sessions (app-store accountability, social-media minimum-age, and adult-content verification bills described in the Key Trends section above), along with the first state VPN-circumvention provisions (Utah SB 73 in force; Michigan HB 4938 pending). Most face First Amendment and Commerce Clause challenges.[49]

Sources

[1] IAPP: US State Privacy Legislation Tracker – Comprehensive tracker of state privacy bills, updated regularly; primary reference for the 20-state count and legislative status
[2] Bloomberg Law: State Privacy Legislation Tracker – Analysis of the Virginia model’s dominance and comparison of state law frameworks
[3] Osano: US Data Privacy Laws Guide to 2026 – Overview of all state comprehensive privacy laws including CCPA/CPRA 2026 regulations
[4] Virginia AG: Virginia Consumer Data Protection Act Summary – Official overview of the VCDPA’s requirements and enforcement structure
[5] Colorado Attorney General: Colorado Privacy Act – Official CPA resource including implementing rules and universal opt-out requirements
[6] Connecticut AG: The Connecticut Data Privacy Act – Official CTDPA overview including 2024–2025 amendments on children’s online safety
[7] Utah Division of Consumer Protection: UCPA – Official guide to the Utah Consumer Privacy Act and its business-friendly provisions
[8] Gibson Dunn: Iowa Becomes Sixth State to Enact Comprehensive Privacy Law – Analysis of the ICDPA’s business-friendly provisions and 90-day cure period
[9] Indiana Legislature: SB 5 – Consumer Data Protection – Legislative text and status of the Indiana Consumer Data Protection Act
[10] White & Case: Tennessee Passes Comprehensive Data Privacy Law – Analysis of TIPA’s NIST framework affirmative defense and insurance company exemption
[11] Montana DOJ: Montana Consumer Data Privacy Act – Official resource including 2025 amendments removing minor protection thresholds
[12] Texas AG: Texas Data Privacy and Security Act – Official TDPSA resource; Texas AG enforcement including $1.4B Meta settlement
[13] Oregon DOJ: Privacy Law FAQs for Businesses – Official OCPA resource covering nonprofit coverage and expanded sensitive data definition
[14] Delaware DOJ: Personal Data Privacy Portal FAQs – Official DPDPA resource including minor protection provisions
[15] Florida Senate: SB 262 – Florida Digital Bill of Rights – Legislative text of the FDBR with $1B revenue threshold
[16] New Hampshire DOJ: Data Privacy FAQs (PDF) – Official NHPA resource including anti-dark-patterns provision
[17] NJ Cybersecurity: NJ Data Privacy Act – Official NJDPA resource including children’s profiling opt-in requirements
[18] Kentucky Legislature: HB 15 – Consumer Data Protection – Legislative text and status of the KCDPA
[19] Davis Wright Tremaine: Maryland Online Data Privacy Act Signed – Analysis of MODPA’s sensitive data sale prohibition and strict minimization requirements
[20] Minnesota AG: Data Privacy – Official MCDPA resource including right to question profiling and CPO requirement
[21] White & Case: Nebraska Enacts Comprehensive Data Privacy Law – Analysis of the NDPA’s broad applicability and small business exemption
[22] White & Case: Rhode Island Enacts Data Transparency and Privacy Protection Act – Analysis of RIDTPPA’s two-tiered structure and zero cure period
[23] Illinois General Assembly: Biometric Information Privacy Act (740 ILCS 14) – Full text of BIPA including 2024 amendment limiting per-violation damages
[24] Washington Legislature: HB 1155 – My Health My Data Act – Legislative text including geofencing prohibition and broad PRA
[25] Texas AG: $1.4 Billion Settlement with Meta – Largest biometric privacy settlement in history under Texas CUBI
[26] NetChoice: NetChoice v. Bonta – Challenge to California’s Age-Appropriate Design Code Act on First Amendment grounds
[27] MultiState: Comprehensive Privacy Laws Taking Effect in 2026 – Tracker of new state privacy laws and children’s social media restrictions
[28] Global Privacy Control – Technical specification for universal opt-out preference signals recognized by 11+ state privacy laws
[29] IAPP: New Year, New Rules – 2026 State Privacy Requirements – Overview of state privacy requirements taking effect in 2026
[30] Perkins Coie: Privacy Law Recap 2024 – State Consumer Privacy Laws – Year-end summary of 2024 state privacy law developments and enforcement trends
[31] Carmody Law: Connecticut AI and Data Privacy Updates Effective July 1, 2026 – SB 1295 amendments: 35,000 consumer threshold, neural data as sensitive data, profiling and LLM disclosure requirements
[32] Byte Back Law: Texas Files First Privacy Law Enforcement Action (January 2025) – Allstate/Arity TDPSA complaint: precise geolocation data processing without consent, 45+ million consumers
[33] Holland & Knight: Privacy and Cybersecurity Legislation in Texas (February 2026) – TRAIGA AI governance Act effective January 2026; Texas Genomic Act HB 130 (May 2025) foreign adversary genome data restrictions
[34] McDonald Hopkins: Texas S.B. 1188 EHR Data Localization Law – US-only storage requirement effective January 1 2026, AI clinical decision-making requirements, offshore access rules
[35] ArentFox Schiff: New State Privacy Laws – Second Half of 2025 – Texas SB 2420 App Store Accountability Act: age verification and parental consent requirements; injunction issued December 23 2025 by W.D. Texas
[36] Hunton: U.S. Supreme Court Upholds Adult Entertainment Website Age Verification Law – Free Speech Coalition v. Paxton (June 27, 2025): 6–3 ruling upheld Texas H.B. 1181 under intermediate scrutiny; removed principal federal obstacle to state age-verification laws for adult content
[37] Hunton: Alabama Enacts App Store Accountability Act Requiring Age Verification – HB 161 signed February 2026; effective January 1, 2027; four age categories, verified parent account, verifiable parental consent for downloads/in-app purchases
[38] Wikipedia: Social Media Age Verification Laws in the United States – Nebraska LB 383 (effective July 1, 2026); state-by-state status, enacted/enjoined/in-force table
[39] GBH News: Mass. House Passes Bill to Ban Kids Under 14 from Social Media (April 8, 2026) – 129–25 vote; under-14 ban, parental consent for 14–15; age verification mandate; cellphone ban during school day; awaits Senate
[40] EFF: The Year States Chose Surveillance Over Safety — 2025 in Review – Wisconsin AB 105 veto (April 2026, Evers “violation of personal privacy”); broader state age-verification civil-liberties critique
[41] Mayer Brown: Oklahoma Enacts Comprehensive Consumer Data Privacy Law (March 2026) – SB 546 signed March 20, 2026 by Gov. Stitt; effective January 1, 2027; OCDPA; Virginia template; AG-only enforcement; civil penalties up to $7,500 per violation
[42] DLA Piper: Alabama Becomes 21st State to Enact Comprehensive Privacy Law (April 2026) – HB 351 signed April 17, 2026 by Gov. Ivey (House 104–0, Senate 34–0); effective May 1, 2027; APDPA; affirmative consent for sensitive data including geolocation, health, citizenship; departures from Virginia template in thresholds, sale definition, exemptions
[43] Troutman: Proposed State Privacy Law Update (April 20, 2026) – Virginia SB 338 signed (precise geolocation sale prohibition); Nebraska LB 838 signed (Age-Appropriate Online Design Code amendment, broadens applicability); Maryland HB 711 (immigration enforcement provision)
[44] EFF: Utah’s New Law Targeting VPNs Goes Into Effect May 6th (April 2026) – Senate Bill 73 signed by Gov. Cox March 19 2026, effective May 6 2026; first US state law to target VPN circumvention of age verification; physical-location liability standard; speech restriction on VPN instructions; First Amendment and Commerce Clause concerns
[45] TechRadar: Wisconsin Scraps VPN Ban from Age Verification Bill (February 2026) – AB 105 amended February 19 2026 to remove VPN provision after digital-rights pushback; Rep. Brent Jacobson statement (“the VPN provision went too far”); residual age-verification bill vetoed by Gov. Evers April 3, 2026, who proposed device-based age verification as a privacy-protective alternative
[46] TechRadar: VPN Usage at Risk in Michigan Under New Proposed Adult Content Law – HB 4938 (Anticorruption of Public Morals Act) introduced September 11, 2025; ISP monitoring and blocking of VPNs/proxies/encrypted tunnels; $500,000 civil penalty; not scheduled for hearing
[47] Morrison Foerster: New York and California Enact Landmark AI Companion Laws (2026) – California SB 243 (signed October 13, 2025, effective January 1, 2026): companion-chatbot safeguards, AI disclosure to minors, three-hour break reminders, suicide/self-harm crisis-referral protocol, private right of action; New York Gen. Bus. Law §1700 et seq. (effective November 5, 2025): similar duties, AG-only enforcement
[48] Future of Privacy Forum: Understanding the New Wave of Chatbot Legislation — California SB 243 and Beyond – Analysis of the emerging AI companion chatbot regulatory category and additional states modeling SB 243 in 2026 sessions
[49] Troutman: Proposed State Privacy and AI Law Update (May 18, 2026) – Weekly tracker of pending state privacy/AI bills; Connecticut SB 4 (data-broker registration, geolocation-sale ban, facial recognition); Oregon precise-geolocation (1,750-ft) sale ban; Virginia SB 338 signed; Illinois SB 315 frontier-AI transparency awaiting enactment; ~300 AI and ~180 privacy bills across 2026 sessions
[50] Super Lawyers: Pornography Age-Verification Laws — State-by-State After the SCOTUS Ruling – State-by-state roster of adult-content age-verification statutes and status (~24–25 states in force as of 2026: incl. Louisiana, Arkansas, Virginia, Utah, Montana, Texas, North Carolina, Indiana, Idaho, Florida, Kentucky, Nebraska, Georgia, Alabama, Kansas, Oklahoma, Mississippi, South Carolina, South Dakota, Wyoming, North Dakota, Missouri, Arizona, Ohio, Tennessee); substantial-portion (33.3%) thresholds; verification methods and litigation status
[51] Wikipedia: Social Media Age Verification Laws in the United States – State-by-state social-media minor/age-assurance laws and current status (enacted / enjoined / in force): Utah, Texas (SCOPE Act), Florida (HB 3), Ohio, Arkansas, Georgia, Virginia (SB 854), Tennessee, Mississippi, Louisiana, Nebraska (LB 383), Alabama; NetChoice litigation tracking
[52] Congressional Research Service: Geofence and Keyword Searches — Reverse Warrants and the Fourth Amendment (R48852) – Notes that Utah has enacted a statute generally requiring a warrant for geofences and other reverse searches; circuit split and pending Supreme Court review on geofence/reverse-search warrants. California’s CalECPA (warrant for electronic communications, metadata, and device data) is detailed on the directory’s California page
[53] EFF: Open-Records Laws Reveal ALPRs’ Sprawling Surveillance — Now States Want to Block What the Public Sees (April 2026) – State ALPR regulation (~16 states; ~8 retention limits, ~6 use restrictions); Flock Safety network controversy; Washington SB 6002 (21-day deletion, signed March 30, 2026), Oregon SB 1516 (30-day retention, signed March 31, 2026), California SB 34 (60-day CHP retention + pending out-of-state/federal sharing limit); states shielding ALPR data from public records
[54] Tech Policy Press: Status of State Laws on Facial-Recognition Surveillance (2026) – ~15 states limit police facial recognition; seven strongest (Colorado, Maryland, Maine, Montana, Utah, Virginia, Washington); Montana/Utah first to require a warrant; Maryland strongest (defendant notice); Virginia warrant-audit-reporting law effective July 1, 2026; Alabama, Illinois, Minnesota, Massachusetts, New Jersey, Vermont add limits; 16+ city bans; Illinois HB 5521 statewide-ban proposal
[55] Congressional Research Service: Law Enforcement and Technology — Use of Unmanned Aircraft Systems (R47660) – At least 18 states require a search warrant for law-enforcement drone surveillance (AK, FL, ID, IL, IN, IA, ME, MT, NV, NC, ND, OR, TN, TX, UT, VT, VA, WI); ~24 states have drone-privacy legislation overall; common exigent-circumstances and search-and-rescue exceptions
[56] EFF Street-Level Surveillance: Cell-Site Simulators / IMSI Catchers – At least a dozen states require a probable-cause warrant for cell-site-simulator use (incl. California, Washington, Utah, Virginia, Illinois, Minnesota, Tennessee); Maryland warrant requirement via court decision; technology and Fourth-Amendment analysis
← Back to Privacy Law Directory