Data Privacy Laws by State in 2026: Your Rights in All 20 States
The United States does not have a comprehensive federal data privacy law. What it has instead is a growing patchwork of state-level legislation — 20 states and counting — each with different definitions, thresholds, and enforcement mechanisms.
If you want to know whether you have the right to tell a data broker to delete your personal information, the answer depends on where you live. This guide covers every state with a comprehensive consumer privacy law as of 2026, what each law gives you, and where the gaps remain.
Why State Laws Matter for Data Broker Removal
Data brokers collect and sell personal information on hundreds of millions of Americans. The industry generates an estimated $290 billion or more annually. In 2025, a record 3,322 data breaches exposed personal data at an unprecedented scale, with 278.8 million victim notification letters sent.
State privacy laws give you legal tools to fight back. The most important rights for data broker removal are:
- Right to know: You can ask a company what personal data it holds about you
- Right to delete: You can request that a company delete your data
- Right to opt out of sale: You can tell a company to stop selling your data
- Right to opt out of targeted advertising: You can prevent companies from using your data for ad targeting
Not every state law includes all of these rights, and the definitions of "sale" vary significantly. Here is what each state provides.
The 20 States With Comprehensive Privacy Laws
1. California — CCPA/CPRA
Law: California Consumer Privacy Act (2018), amended by the California Privacy Rights Act (2020) Effective: January 1, 2020 (CCPA); January 1, 2023 (CPRA amendments) Enforcement: California Privacy Protection Agency (CPPA)
California's law is the strongest in the nation. It covers any business that collects personal information from California residents and meets revenue or data volume thresholds. Key provisions:
- Right to know, delete, and correct personal information
- Right to opt out of the sale or sharing of personal data (broad definition of "sale")
- Right to limit use of sensitive personal information
- Private right of action for data breaches (consumers can sue)
- No exemption for data brokers — they are explicitly covered
- Data broker registration requirement: Brokers must register with the CPPA
The DELETE Act (SB 362): Signed in 2023, this law creates the Data and Privacy Protection Online Portal (DROP tool), launching August 2026. It will allow California residents to submit a single opt-out request that applies to all registered data brokers in the state. This is the first centralized data broker opt-out mechanism in the US and could fundamentally change how removal works.
Your power level: Maximum. California gives you the most tools to control your data of any state.
2. Virginia — VCDPA
Law: Virginia Consumer Data Protection Act Effective: January 1, 2023 Enforcement: Attorney General only
Virginia was the second state to pass comprehensive privacy legislation. It provides:
- Right to access, correct, and delete personal data
- Right to opt out of sale, targeted advertising, and profiling
- No private right of action
- Higher business thresholds (100,000+ consumers or 25,000+ consumers with 50% revenue from data sales)
- Narrower definition of "sale" — requires monetary consideration
Your power level: Moderate. You can opt out and request deletion, but enforcement depends entirely on the Attorney General.
3. Colorado — CPA
Law: Colorado Privacy Act Effective: July 1, 2023 Enforcement: Attorney General
- Right to access, correct, delete, and obtain portable copies of data
- Right to opt out of sale, targeted advertising, and profiling
- Universal opt-out mechanism requirement (browsers/extensions can signal opt-out)
- Requires data protection assessments for high-risk processing
Your power level: Strong. The universal opt-out mechanism is a meaningful addition that other states lack.
4. Connecticut — CTDPA
Law: Connecticut Data Privacy Act Effective: July 1, 2023 Enforcement: Attorney General
- Right to access, correct, delete, and port data
- Right to opt out of sale, targeted advertising, and profiling
- Universal opt-out mechanism support
- Covers nonprofits (unlike most state laws)
- Loyalty program protections
Your power level: Strong. Similar to Colorado, with the addition of nonprofit coverage.
5. Utah — UCPA
Law: Utah Consumer Privacy Act Effective: December 31, 2023 Enforcement: Attorney General
- Right to access, delete, and port data
- Right to opt out of sale and targeted advertising
- No right to correct data
- Higher business thresholds ($25M+ revenue)
- Most business-friendly of the early privacy laws
Your power level: Limited. Covers the basics but with significant carve-outs.
6. Iowa — ICDPA
Law: Iowa Consumer Data Protection Act Effective: January 1, 2025 Enforcement: Attorney General
- Right to access, delete, and port data
- Right to opt out of sale and targeted advertising
- No right to correct data
- No requirement for universal opt-out signals
- 90-day cure period for violations (businesses get time to fix issues before penalties)
Your power level: Limited. The lengthy cure period weakens enforcement.
7. Delaware — DPDPA
Law: Delaware Personal Data Privacy Act Effective: January 1, 2025 Enforcement: Attorney General
- Right to access, correct, delete, and port data
- Right to opt out of sale, targeted advertising, and profiling
- Covers businesses processing 35,000+ consumers (lower threshold than most states)
- No revenue threshold — broader business coverage
- Covers nonprofits
Your power level: Strong. The low consumer threshold and nonprofit coverage make this one of the better laws.
8. Nebraska — NDPA
Law: Nebraska Data Privacy Act Effective: January 1, 2025 Enforcement: Attorney General
- Right to access, correct, delete, and port data
- Right to opt out of sale, targeted advertising, and profiling
- No revenue or consumer count threshold — applies to all businesses operating in the state
- Recognized universal opt-out mechanism
Your power level: Strong. The lack of business thresholds is significant — no company is too small to be covered.
9. New Hampshire — NHPDPA
Law: New Hampshire Privacy of Data and Personal Data Act Effective: January 1, 2025 Enforcement: Attorney General
- Right to access, correct, delete, and port data
- Right to opt out of sale, targeted advertising, and profiling
- Universal opt-out mechanism support
- 60-day cure period
Your power level: Moderate. Standard provisions with universal opt-out support.
10. New Jersey — NJDPA
Law: New Jersey Data Privacy Act Effective: January 15, 2025 Enforcement: Attorney General
- Right to access, correct, delete, and port data
- Right to opt out of sale, targeted advertising, and profiling
- Covers financial data (some states exempt it)
- Universal opt-out mechanism support
- Heightened protections for minors' data
Your power level: Strong. Financial data coverage is an important differentiator.
11. Tennessee — TIPA
Law: Tennessee Information Protection Act Effective: July 1, 2025 Enforcement: Attorney General
- Right to access, correct, delete, and port data
- Right to opt out of sale, targeted advertising, and profiling
- 60-day cure period
- Affirmative defense for companies following NIST privacy frameworks
Your power level: Moderate. The NIST defense gives well-resourced companies a way to avoid liability.
12. Minnesota — MCDPA
Law: Minnesota Consumer Data Privacy Act Effective: July 31, 2025 Enforcement: Attorney General
- Right to access, correct, delete, and port data
- Right to opt out of sale, targeted advertising, and profiling
- Private right of action (one of few states with this)
- Strong protections for biometric and health data
- Universal opt-out support
Your power level: Strong. The private right of action gives you real enforcement teeth.
13. Maryland — MODPA
Law: Maryland Online Data Privacy Act Effective: October 1, 2025 Enforcement: Attorney General
Maryland's law is widely considered the most stringent after California. Key differences:
- Data minimization requirement: Companies can only collect data "reasonably necessary" for the service
- Right to access, correct, delete, and port data
- Right to opt out of sale, targeted advertising, and profiling
- Prohibits sale of sensitive data entirely — not just opt-out, an outright ban
- Covers children's data with enhanced protections
- No cure period — violations can be enforced immediately
Your power level: Maximum (after California). The data minimization and sensitive data sale ban are the strongest provisions outside California.
14. Texas — TDPSA
Law: Texas Data Privacy and Security Act Effective: July 1, 2024 Enforcement: Attorney General
- Right to access, correct, delete, and port data
- Right to opt out of sale, targeted advertising, and profiling
- Covers small businesses (no revenue threshold)
- 30-day cure period
- Specific protections for biometric data
Your power level: Moderate. Broad business coverage but limited enforcement.
15. Oregon — OCPA
Law: Oregon Consumer Privacy Act Effective: July 1, 2024 Enforcement: Attorney General
- Right to access, correct, delete, and port data
- Right to opt out of sale, targeted advertising, and profiling
- Covers nonprofits
- No revenue threshold
- Universal opt-out support
- Right to a list of third parties data was shared with
Your power level: Strong. Nonprofit coverage and the third-party disclosure right are notable.
16. Montana — MCDPA
Law: Montana Consumer Data Privacy Act Effective: October 1, 2024 Enforcement: Attorney General
- Right to access, correct, delete, and port data
- Right to opt out of sale, targeted advertising, and profiling
- Low consumer threshold (50,000 residents — meaningful given Montana's population)
- Universal opt-out support
Your power level: Moderate to strong. Well-designed for a smaller-population state.
17. Indiana — ICDPA
Law: Indiana Consumer Data Protection Act Effective: January 1, 2026 Enforcement: Attorney General
- Right to access, correct, delete, and port data
- Right to opt out of sale, targeted advertising, and profiling
- 30-day cure period
- Standard business thresholds (100,000+ consumers)
Your power level: Moderate. Standard protections with no standout features.
18. Kentucky — KCDPA
Law: Kentucky Consumer Data Protection Act Effective: January 1, 2026 Enforcement: Attorney General
- Right to access, correct, delete, and port data
- Right to opt out of sale, targeted advertising, and profiling
- 30-day cure period
- Closely modeled on Virginia's VCDPA
Your power level: Moderate. Follows the Virginia template.
19. Rhode Island — RIDPA
Law: Rhode Island Data Privacy Act Effective: January 1, 2026 Enforcement: Attorney General
- Right to access, correct, delete, and port data
- Right to opt out of sale, targeted advertising, and profiling
- Data breach notification within 30 days
- Requires privacy impact assessments
Your power level: Moderate. The 30-day breach notification timeline is stricter than most.
20. Oklahoma — OCPA
Law: Oklahoma Computer Data Privacy Act Effective: November 1, 2025 Enforcement: Attorney General
- Right to access, correct, delete, and port data
- Right to opt out of sale, targeted advertising, and profiling
- Covers businesses processing 100,000+ consumers
- 30-day cure period
Your power level: Moderate. Standard provisions.
States That Give You the Most Power
Based on the breadth of rights, enforcement mechanisms, and data broker coverage, the states offering the strongest protections are:
- California — DELETE Act, data broker registration, private right of action, broadest definition of "sale"
- Maryland — Data minimization, sensitive data sale ban, no cure period
- Minnesota — Private right of action, strong biometric protections
- Colorado and Connecticut — Universal opt-out, comprehensive rights
- Nebraska and Oregon — No business thresholds, broad coverage
Why There Is No Federal Law Yet
Multiple federal privacy bills have been introduced in Congress, including the American Data Privacy and Protection Act (ADPPA). None have passed, primarily due to disagreements over:
- Federal preemption: Whether a federal law should override stronger state laws like California's
- Private right of action: Whether consumers should be able to sue directly or only rely on government enforcement
- Industry lobbying: The data broker industry and major tech companies have spent hundreds of millions opposing comprehensive regulation
Until a federal law passes, the state patchwork will continue to expand. The 30 states without privacy laws leave their residents with minimal protections against data broker practices.
What You Can Do Regardless of Your State
Even if your state does not have a privacy law, you can still take action:
- Submit opt-out requests directly to data brokers: Most brokers honor opt-out requests regardless of state, as it is simpler than maintaining state-by-state compliance
- Use California's rights if a broker is California-registered: Many major brokers are
- Use automated removal services: Sirveil scans for your data across broker sites and submits removal requests on your behalf, regardless of which state you live in
- Support privacy legislation: Contact your state legislators and advocate for comprehensive privacy laws
The Bottom Line
Your data privacy rights depend heavily on your zip code — a situation that should change but has not yet. In the meantime, knowing what tools your state gives you is the first step toward using them.
Sirveil helps you exercise your removal rights at scale, starting at $7.99/month, or $79.99/year on the annual plan. Whether your state has a privacy law or not, data brokers are collecting and selling your information. The question is whether you will let them.
The Sirveil Team builds privacy tools that put individuals back in control of their personal data. Sirveil's AI-powered platform scans data broker sites and the dark web for your exposed information, automates removal requests, and provides continuous monitoring. Learn more at sirveil.ai.