PrivioBlog
privacy law
compliance
guide

Which State Privacy Laws Apply to Your Business in 2026?

2026-03-01 · Privio Team

If you're running a business in the United States in 2026, there's a good chance at least one state privacy law applies to you — and quite possibly several.

With 20+ states now having comprehensive consumer privacy laws on the books, the patchwork of regulations can feel overwhelming. But here's the good news: understanding whether a law applies to your business comes down to a few key factors.

The Three Questions That Matter

Every state privacy law has applicability thresholds — conditions that determine whether your business falls under the law's jurisdiction. While the specifics vary, they generally come down to:

1. Where Do You Operate (or Reach Consumers)?

Most state privacy laws apply if you do business in the state or target consumers residing there. This doesn't always mean having a physical office — an e-commerce store shipping to California customers can trigger CCPA obligations.

2. How Big Is Your Business?

Revenue and data volume thresholds vary significantly:

  • California (CCPA/CPRA): $25M+ annual revenue, OR 100,000+ consumers' data, OR 50%+ revenue from selling data
  • Virginia (VCDPA): 100,000+ consumers' data, OR 25,000+ consumers if you derive 50%+ revenue from data sales
  • Colorado (CPA): 100,000+ consumers per year, OR 25,000+ consumers with revenue from data sales

3. What Data Do You Collect?

Several laws have stricter requirements if you handle sensitive data — health information, biometric data, children's data, or precise geolocation. Some laws, like those in Texas and Montana, apply to businesses of any size if they process personal data.

The States You Need to Watch

As of 2026, states with comprehensive privacy laws include:

  • Already enforced: California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Texas, Oregon, Delaware
  • Taking effect in 2025–2026: Maryland, Minnesota, Nebraska, New Hampshire, New Jersey, Kentucky, Rhode Island, and more

What Should You Do?

  1. Assess your exposure — Determine which states you operate in or reach consumers
  2. Check the thresholds — Compare your revenue and data volumes against each law
  3. Identify overlaps — Many requirements are similar across states, so you can satisfy multiple laws with one action
  4. Build a compliance checklist — Prioritize by enforcement dates and penalty severity