US Data Privacy Laws and Regulations in 2026
In 2026, organizations are navigating a growing landscape of U.S. data privacy laws, with nearly 20 states now introducing their own regulations. While early privacy legislation focused primarily on California’s Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), the modern privacy landscape is far broader. Multiple states have enacted comprehensive privacy statutes, and several existing laws now include new regulatory requirements.
Key takeaways
- Three new comprehensive privacy laws take effect in 2026 in Indiana, Kentucky, and Rhode Island.
- Several states with existing privacy laws, including California, Connecticut, Oregon, and Utah, have major regulatory updates taking effect in 2026.
- Nearly twenty US states now have comprehensive consumer privacy laws, creating ongoing multi-state compliance obligations.
- Penalties can reach $7,500 or more per violation, depending on the state.
- Effective compliance now requires integrating privacy, data governance, retention, and communications archiving.
What to know about privacy laws in 2026
The US privacy landscape has shifted from a patchwork of emerging, divergent regulations to a complex, constantly evolving regulatory environment.
Major 2026 developments include new state laws, expanded consumer rights, and heightened regulatory focus on minors’ data and automated decision-making. These mark a significant shift in how organizations must manage and protect personal information across the United States.
- Three new comprehensive privacy laws are taking effect in Indiana, Kentucky, and Rhode Island.
- Regulatory updates take effect in California, Connecticut, Oregon, and Utah.
- Arkansas is introducing a new privacy law effective July 2026.
- Regulatory focus on minors’ data, automated decision-making, and data broker transparency is increasing.
- Consumer rights such as data correction and universal opt-out mechanisms are expanding.
- For organizations operating across multiple states, privacy compliance now requires ongoing governance rather than a one-time legal review.
For 2026, the most important question for companies is whether existing data privacy compliance programs remain sufficient.
How many states have privacy laws?
As of 2026, approximately 19 US states have comprehensive consumer privacy laws. Some analysts put the number at 20 data privacy laws, depending on how Florida’s Digital Bill of Rights is categorized.
This expanding patchwork of state legislation reflects the rising importance of data protection nationwide, as lawmakers respond to evolving concerns about personal information, digital rights, and technological change.
The introduction of new statutes in states such as Indiana, Kentucky, and Rhode Island — along with ongoing updates in states like California and Connecticut — demonstrates a nationwide shift toward stronger privacy governance. For organizations, this means navigating an increasingly complex and dynamic regulatory environment, where compliance requirements vary from state to state and are regularly updated to address emerging risks and consumer expectations.
These new laws increasingly include unique requirements that require state-specific compliance programs, adding to the compliance complexity.
New US state privacy laws taking effect in 2026
Three new privacy laws came into effect on January 1, 2026, expanding the number of states with comprehensive privacy legislation. This wave of new regulations reflects a broader national trend toward strengthening consumer data protections and addressing the rapidly evolving landscape of digital privacy. By enacting these statutes, state lawmakers continue to respond to growing public concerns about how personal information is collected, used, and shared online.
Indiana Consumer Data Protection Act
The Indiana Consumer Data Protection Act provides residents with several key rights, including:
- access to personal data
- correction of inaccurate data
- deletion of personal information
- data portability
- opt-out rights for targeted advertising and data sales
The law closely mirrors the Virginia model used by several other states.
Kentucky Consumer Data Protection Act
Kentucky’s privacy law also took effect January 1, 2026.
The law introduces:
- consumer access and deletion rights
- data portability requirements
- opt-out rights for targeted advertising and data sales
- enforcement authority for the Kentucky Attorney General
Kentucky also created an Office of Data Privacy, demonstrating the state’s commitment to enforcement and oversight.
Rhode Island Data Transparency and Privacy Protection Act
Rhode Island’s privacy law establishes a comprehensive framework that includes:
- consumer rights to access and delete personal data
- data portability rights
- opt-out rights for data sales and targeted advertising
- transparency obligations for businesses collecting personal data
Rhode Island’s adoption further expands the nationwide privacy compliance landscape.
Recent privacy law changes in 2026
Several states with existing privacy laws have introduced important amendments or regulatory updates.
California Privacy Rights Act updates
California remains the most influential privacy regulator in the United States.
Two major changes occur in 2026:
- New California Privacy Protection Agency regulations require risk assessments and cybersecurity audits for certain businesses.
- Implementation of the Delete Act, which creates a centralized deletion system for data brokers beginning August 1, 2026.
These changes further expand California’s already robust privacy framework.
Connecticut Data Privacy Act amendments
Connecticut passed amendments to its Connecticut Data Privacy Act (CTDPA) that take effect July 1, 2026.
The amendments introduce:
- expanded consumer access rights
- stronger protections for minors
- additional limitations on profiling and automated decision-making
Oregon Consumer Privacy Act updates
The Oregon Consumer Privacy Act introduces several significant new restrictions beginning January 1, 2026.
These include:
- mandatory recognition of universal opt-out signals
- restrictions on selling precise geolocation data
- prohibitions on selling personal data of consumers under age 16
Utah Consumer Privacy Act amendment
Utah’s privacy law now includes a right to correct inaccurate personal data, effective July 1, 2026.
Although Utah’s law remains relatively business-friendly compared with other states, this change still requires updates to consumer rights workflows.
Arkansas Consumer Data Protection Act
Arkansas joins the growing list of privacy states when its law takes effect July 1, 2026.
The new law introduces standard privacy rights and requirements, including:
- data access
- data deletion
- data portability
- opt-out rights for targeted advertising
Common trends in state privacy bills
The biggest trend in state privacy legislation is greater specificity and stronger enforcement frameworks.
States are increasingly focusing on:
- minors’ data protections
- automated decision-making oversight
- data minimization requirements
- geolocation data restrictions
- universal opt-out mechanisms
- data broker transparency
Although many laws still follow the original Virginia-style model, new amendments are beginning to cause the various state laws to diverge significantly.
There has been a notable, rapid expansion of data privacy legislation in the United States over the last several years. New privacy laws have been enacted across multiple states, each introducing a variety of consumer rights and compliance obligations for businesses.
States such as Utah and Arkansas have introduced comprehensive data protection measures, including rights to access, correct, delete, and transfer personal information, as well as opt-out provisions for targeted advertising. Organizations operating across these jurisdictions need to monitor ongoing law changes to keep data practices aligned with current requirements.
Are there US federal data privacy laws
Despite multiple legislative proposals, the United States still lacks a comprehensive federal privacy law that would preempt all existing state data privacy laws.
Congress has considered several proposals but none have been enacted. We previously wrote about the stalled federal data privacy law, American Data Privacy and Protection Act, here.
As a result, organizations bear the burden of managing compliance rather than rely on a unified federal framework.
What are the penalties for violating state privacy laws
Most privacy laws authorize enforcement by state attorneys general and include civil penalties. And because violations can apply to individual consumer records, regulatory exposure can escalate quickly (each consumer whose rights are violated may be treated as a separate offense, multiplying the total fines and liabilities).
Many states share similar penalties. Fines of $7,500 to $10,000 per violation are common. There are often additional exposure for violations involving minors. Additional penalties also can be added under other consumer protection laws.
States with distinct enforcement provisions
- Colorado
- Penalties are set at $20,000 per violation, increasing to $50,000 for violations affecting consumers aged 60 or older.
- Colorado enforces its privacy law through the Colorado Consumer Protection Act, which can allow regulators to pursue substantial penalties.
- Montana
- The law does not specify a maximum amount for civil penalties.
- Only the state attorney general is authorized to enforce the law.
- California
- Penalties can be substantial, especially when based on the age of the consumer and assessed per affected individual.
State attorneys general have the power to investigate potential violations, issue fines, and pursue legal action against organizations that fail to comply with state privacy statutes. Civil penalties are designed to deter noncompliance and encourage organizations to adopt robust privacy practices. In addition to government enforcement, some states allow private citizens to bring lawsuits in certain circumstances, further increasing the risk to organizations.
What data privacy updates mean for compliance teams
The expansion of state privacy regulation has created several new compliance challenges for organizations.
- Data inventory management
Keep clear, accurate records of the personal data you collect, process, and store — and understand the purpose behind collecting it. - Consumer rights fulfillment
Respond promptly to requests related to personal data, including access, data deletion, inaccurate data correction, and data portability. - Vendor and processor management
Stay informed about how third-party vendors handle and protect personal data to support compliance and reduce risk. - Data retention and governance
Retain personal data only for legitimate business purposes and only for as long as it’s appropriate or required.
Why privacy compliance now requires strong data governance
Modern data privacy laws increasingly function as data governance mandates. Organizations are expected to show they can:
- identify personal data across systems
- enforce retention policies
- secure the data properly
- support deletion requests
- respond to regulatory investigations
- maintain secure communications archives
This means privacy compliance now intersects directly with records management, e-discovery, and regulatory archiving.
Regulatory mandates for data storage compliance in the US states
Organizations conducting business in the US are expected to adopt specific practices for managing information.
- Retention: Define and follow clear policies for how long data (especially personal and communications data) is stored, with guidelines for both minimum and maximum timeframes.
- Security: Put strong safeguards in place to protect personal information from unauthorized access or misuse.
- Access: Manage and monitor who can access personal data to help ensure it’s only available to the right people.
- Deletion: Support individuals’ requests to delete their personal data by having processes to locate and securely remove it. Regularly clean up data that’s no longer needed in line with your retention policies.
- Regulatory response: Maintain processes to respond quickly and accurately to regulatory investigations or information requests.
By enforcing these rules around retention, security, access, and deletion, data privacy laws ensure that organizations protect personal information, respect individuals' rights, and remain accountable to regulators.
A defensible archive and centralized data governance strategy help organizations meet privacy requirements while maintaining readiness for legal, regulatory, and e-discovery demands.
What is a privacy-compliant archive?
A privacy-compliant archive is a secure, centralized repository designed to help organizations meet obligations under evolving privacy laws and regulations. Such an archive enforces data-retention policies, ensuring information is held only for as long as needed and deleted when appropriate. It incorporates security measures to protect sensitive personal and communications data from unauthorized access or breaches.
Access controls are foundational, allowing organizations to monitor and restrict who can view, modify, or delete archived information — thereby upholding privacy rights and regulatory mandates.
Additionally, a compliant archive provides mechanisms for identifying and erasing personal data upon request, supporting individuals’ legal rights to deletion and ensuring routine purging of obsolete records. Audit trails and documentation capabilities are essential, enabling organizations to respond accurately and promptly to regulatory inquiries or e-discovery demands.
By integrating retention, security, access management, and deletion processes, a privacy-compliant archive helps organizations protect personal information, maintain regulatory accountability, and stay prepared for legal, regulatory, and investigative demands.
How does Smarsh help with data privacy laws
The Smarsh cloud-based archiving platform connects with leading communication tools, capturing and preserving relevant data in a secure, centralized repository. This approach supports compliance with data privacy laws by making it easier to monitor, audit, and respond to regulatory requests.
Smarsh helps organizations of all sizes maintain data privacy consistently across all communication channels.
- Capture communications data across many digital channels.
- Enforce retention and disposition policies.
- Support privacy-related search and deletion requests.
- Secure sensitive data with advanced encryption, access controls, and monitoring.
- Maintain audit trails for regulatory investigations.
By centralizing communications data, organizations can better meet evolving data privacy, compliance, and governance obligations.
Frequently asked questions
Share this post!
Bill is a frequent speaker at legal and information governance industry events and has authored four eBooks including Email Archiving for Dummies, Cloud Archiving for Dummies, The Bartenders Guide to eDiscovery and the Know IT All's Guide to eDiscovery. Bill has also authored 60 plus industry articles and hundreds of blogs as well as hosting 37 podcasts with industry pundits, subject matter experts, state legislators, and attorneys.
- US Data Privacy Laws and Regulations in 2026 - March 20, 2026
- State and Local Government Records Management Evolves with AI - February 5, 2026
- US Data Privacy Laws: How Regulations Are Expanding, and the New Twists Businesses Must Be Aware Of - December 2, 2025
Smarsh Blog
Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.
Ready to enable compliant productivity?
Join the 6,500+ customers using Smarsh to drive their business forward.
More Resources
Subscribe to the Smarsh Blog Digest
Subscribe to receive a monthly digest of articles exploring regulatory updates, news, trends and best practices in electronic communications capture and archiving.
Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing [email protected].
FOLLOW US