Key Takeaways
- 19 US states have enacted comprehensive privacy laws as of 2026
- Most state laws follow an opt-out model (unlike GDPR opt-in), but requirements vary significantly
- Global Privacy Control (GPC) is legally required in California, Colorado, Connecticut, Montana, and Texas
- Universal opt-out mechanisms are becoming the standard, with more states adding GPC requirements each year
- A single website serving all 50 states needs to handle different consent rules per visitor location
The US Privacy Landscape: No Federal Law, 19+ State Laws
Congress has debated federal privacy legislation for years. The ADPPA passed a House committee in 2022 before stalling. The APRA was introduced in 2024 and met the same fate. As of March 2026, no federal bill has passed.
The sticking point is preemption: California wants to keep its stronger protections, industry wants a single standard. Until they agree, the patchwork grows.
For developers, three practical consequences:
- You cannot build one consent experience and call it done. Different states mean different rights, different GPC requirements, different consent models.
- You need geo-detection. Your site must determine visitor location and apply the correct model automatically.
- The surface area keeps expanding. Every legislative session, new states pass laws. Your implementation must be adaptable.
The Three Consent Models
Opt-Out (most common). Businesses collect and process data by default. Consumers opt out of sales, targeted advertising, and profiling. Analytics and marketing scripts run by default, but you must honor opt-out requests and universal opt-out mechanisms like GPC.
Opt-In for Sensitive Data. Most states require affirmative consent before processing sensitive data (health, biometric, precise geolocation, children's data). This creates a hybrid: opt-out for standard data, opt-in for sensitive data.
Notice-Only. Utah uses a more permissive model. Provide notice of data practices, but consent requirements are lighter.
See how ConsentStack handles geo-detection
State-by-State Comparison
| State | Law | Effective | Consent Model | GPC Required | Key Unique Provisions |
|---|---|---|---|---|---|
| California | CCPA/CPRA | 2020/2023 | Opt-out (opt-in for minors <16) | Yes | Broadest scope. Private right of action. CPPA enforcement. "Do Not Sell or Share" link. |
| Virginia | VCDPA | Jan 2023 | Opt-out | No | AG only. Narrow "sale" definition (monetary). |
| Colorado | CPA | Jul 2023 | Opt-out (opt-in sensitive) | Yes | First besides CA to mandate universal opt-out. Biennial assessments. |
| Connecticut | CTDPA | Jul 2023 | Opt-out (opt-in sensitive) | Yes | Covers nonprofits. Health data is sensitive. Broad "sale" definition. |
| Utah | UCPA | Dec 2023 | Notice-only / Opt-out | No | Most business-friendly. $25M revenue threshold. No opt-in for sensitive data. |
| Texas | TDPSA | Jul 2024 | Opt-out (opt-in sensitive) | Yes | No revenue threshold. Applies to any entity in Texas. |
| Oregon | OCPA | Jul 2024 | Opt-out (opt-in sensitive) | Yes | Covers nonprofits. Transgender/nonbinary data is sensitive. |
| Montana | MCDPA | Oct 2024 | Opt-out (opt-in sensitive) | Yes | Low threshold (50,000 consumers). |
| Delaware | DPDPA | Jan 2025 | Opt-out (opt-in sensitive) | No | Covers nonprofits. Low threshold (35,000 consumers). |
| Iowa | ICDPA | Jan 2025 | Opt-out | No | Narrowest scope. 90-day cure period. No opt-in for sensitive data. |
| New Hampshire | NH SB 255 | Jan 2025 | Opt-out (opt-in sensitive) | No | Close to Connecticut model. |
| New Jersey | NJ SB 332 | Jan 2025 | Opt-out (opt-in sensitive) | No | Financial data is sensitive. No cure period. |
| Tennessee | TIPA | Jul 2025 | Opt-out (opt-in sensitive) | No | Affirmative defense for NIST-aligned privacy programs. |
| Minnesota | MNCDPA | Jul 2025 | Opt-out (opt-in sensitive) | Yes | Right to question automated decisions. Data inventories required. |
| Maryland | MODPA | Oct 2025 | Opt-out (opt-in sensitive) | No | Stricter data minimization. One of the more restrictive laws. |
| Indiana | ICDPA | Jan 2026 | Opt-out (opt-in sensitive) | No | Virginia model. |
| Kentucky | KCDPA | Jan 2026 | Opt-out (opt-in sensitive) | No | Virginia/Connecticut hybrid. |
| Nebraska | NDPA | Jan 2026 | Opt-out (opt-in sensitive) | No | No revenue or volume threshold. |
| Rhode Island | RIDPA | Jan 2026 | Opt-out (opt-in sensitive) | No | Transparency reports required. |
Coming soon: Vermont (Jul 2026, includes private right of action), Wisconsin (Jan 2026), Michigan and Pennsylvania (pending).
Where States Diverge: Key Provisions
Sale of Personal Data
Narrow definition (monetary only): Virginia, Utah, Iowa, Indiana. Sharing data with an ad platform for free may not qualify as a "sale."
Broad definition (includes non-monetary exchange): California, Colorado, Connecticut, Texas, Oregon, Delaware, New Jersey, Maryland. Sharing data with an ad platform in exchange for ad services qualifies.
The safest approach: treat any data sharing with third-party advertising platforms as a potential "sale" and provide opt-out universally.
Sensitive Data
Nearly every state treats sensitive data differently, requiring opt-in consent. Universal categories include: racial/ethnic origin, religious beliefs, health data, sexual orientation, genetic/biometric data, and children's data.
State-specific additions: California adds SSN, financial accounts, precise geolocation, and mail/message contents. Oregon adds transgender/nonbinary status. Connecticut, Colorado, and Texas add precise geolocation (within 1,750 feet). New Jersey adds financial data. Maryland restricts sensitive data processing to what is strictly necessary.
If your app collects any of these, you need opt-in consent, and the categories depend on the visitor's state.
Children's Data
All states defer to COPPA for under-13. California requires opt-in for under-16 for sale/sharing. Most other states classify children's data as sensitive requiring opt-in. If your site has users under 16, California imposes the strictest requirements.
Global Privacy Control: Which States Require It
As of 2026, these states legally require businesses to honor GPC: California, Colorado, Connecticut, Texas, Montana, Oregon, and Minnesota.
When GPC is detected from a visitor in a requiring state:
- Suppress sale/sharing of personal data immediately
- Block targeted advertising scripts
- Do not require additional confirmation
- Apply the opt-out with no processing delay
The complexity grows with the number of requiring states. You need to detect the signal, determine visitor location, check state requirements, and apply the response. A CMP that handles geo-detection and GPC automatically eliminates this burden. ConsentStack detects GPC and applies the correct opt-out behavior based on visitor state across all 19 US states.
Learn how ConsentStack handles GPC | Google Consent Mode v2 setup guide
Geo-Detection: The Core Engineering Problem
With 19 states imposing different requirements, geo-detection is not optional. Without it, you either apply California's strictest requirements to everyone (legally safe but operationally burdensome) or apply the weakest and hope for the best (not defensible).
How It Works
CDN-level headers (best approach). Cloudflare provides CF-IPCountry and CF-Region. AWS CloudFront and Fastly offer similar headers. State-level accuracy is 95%+ for US visitors.
IP geolocation databases. MaxMind GeoIP for server-side lookup.
User self-selection (fallback only). A dropdown asking visitors to confirm their state. Not recommended as the sole method.
The implementation flow: visitor arrives, CDN determines state, consent logic maps state to applicable law, correct experience renders, GPC is checked, preferences are stored.
ConsentStack handles geo-detection across 19 US states using Cloudflare headers at the CDN edge. When new state laws take effect, the mapping updates on ConsentStack's side. No code changes on your end.
See how ConsentStack handles geo-detection
Practical Implementation Strategies
Strategy 1: Use a CMP with US State Support (Recommended)
| Feature | Why It Matters | Red Flag |
|---|---|---|
| US states supported | More = less manual work | "CCPA and VCDPA only" |
| GPC support | 7+ states require it | "Coming soon" |
| Geo-detection granularity | Must detect at state level | Country-level only |
| Script blocking | Opt-out must stop data sharing | Banner-only, no enforcement |
| Update frequency | Laws change constantly | Last updated 2024 |
ConsentStack covers 32 regulations across 19 US states on every tier, including free. See features | Best consent management platforms compared
Strategy 2: Build Your Own
Requires: state detection service, consent model engine mapping 19+ states, GPC handler, opt-out UI, script blocking, consent storage, and ongoing maintenance. A senior developer spending 4-6 weeks on initial build plus monthly maintenance costs far more than $29/month. Build custom only if no CMP meets your needs.
Strategy 3: Apply California Rules Universally
Treat every US visitor as California. Single implementation, no geo-detection needed, always compliant with the strictest standard. Tradeoffs: over-compliance for weaker states, California-specific language may confuse visitors, and some states have unique provisions California does not cover (Oregon's transgender protections, Tennessee's NIST defense). Works for smaller teams willing to accept the tradeoffs.
Frequently Asked Questions
**19 states** have enacted comprehensive privacy laws in effect or taking effect during 2026. The number is expected to exceed 25 by 2028.
Not for most data. The majority use an **opt-out model**. However, nearly every state requires **opt-in for sensitive data** (health, biometric, geolocation, children's data). Utah is the exception, requiring only notice for sensitive data.
GPC is a browser signal that communicates opt-out preference. **7 states** legally require honoring it: California, Colorado, Connecticut, Texas, Montana, Oregon, and Minnesota. Sephora was fined **$1.2 million** in part for failing to process GPC. The trend is toward more states requiring it.
Yes, and it is a valid simplification. California has the most comprehensive requirements, so universal application generally satisfies other states. Tradeoff: over-compliance in weaker states, and some states have unique provisions California does not address.
AG investigations, civil penalties ($2,500-$7,500 per violation in California, per consumer), injunctive relief, and reputational damage. Several states are sunsetting cure periods. California and Vermont include private rights of action.
No. Use a single adaptive consent experience that adjusts based on geo-detection. The same framework renders with appropriate controls per state. ConsentStack handles this with one script tag across all 19 states. ---
Conclusion
US state privacy laws are accelerating. From one law in 2020 to 19 in 2026. Geo-detection, consent model mapping, GPC support, and ongoing maintenance across growing jurisdictions make hardcoding state-specific logic unsustainable.
ConsentStack handles it all. Geo-detection across 19 US states, automatically applying the correct consent model. GPC honored in every requiring state. Opt-out mechanisms and sensitive data flows configured through the dashboard. When new laws take effect, mappings update automatically.
One script tag. Under 10KB. Every US state privacy law covered. From $0/month.