Which Privacy Laws Apply to Your Business in 2026?
Twenty US states now have comprehensive privacy laws. The EU AI Act is entering enforcement. International regulations are tightening. Here's what you need to know.
What Changed in 2026
Three new state laws - Indiana, Kentucky, and Rhode Island - took effect January 1, 2026. Five existing laws (California, Colorado, Connecticut, Oregon, Utah) got significant amendments. Enforcement is no longer hypothetical: state attorneys general are filing lawsuits and coordinating multi-state investigations.
Globally, the EU AI Act hit its biggest enforcement milestones, India's DPDP Act entered phased implementation, and Brazil's LGPD enforcement matured. Cross-border compliance is more complex than ever.
All 20 US State Privacy Laws
| State | Law | Effective | |
|---|---|---|---|
| California | CCPA/CPRA | Jan 2020 | $25M revenue or 100K consumers |
| Virginia | VCDPA | Jan 2023 | 100K consumers |
| Colorado | CPA | Jul 2023 | 100K consumers |
| Connecticut | CTDPA | Jul 2023 | 100K consumers |
| Utah | UCPA | Dec 2023 | $25M revenue + 100K consumers |
| Iowa | ICDPA | Jan 2025 | 100K consumers |
| Montana | MCDPA | Oct 2024 | 50K consumers |
| Tennessee | TIPA | Jul 2025 | 100K consumers |
| Texas | TDPSA | Jul 2024 | No revenue threshold |
| Oregon | OCPA | Jul 2024 | 100K consumers |
| Delaware | DPDPA | Jan 2025 | 35K consumers |
| New Hampshire | SB 255 | Jan 2025 | 35K consumers |
| New Jersey | SB 332 | Jan 2025 | 100K consumers |
| Maryland | MODPA | Apr 2026 | 35K consumers |
| Minnesota | MCDPA | Jul 2025 | 100K consumers |
| Nebraska | NDPA | Jan 2025 | No specific threshold |
| New Hampshire | SB 255 | Jan 2025 | 35K consumers |
| Indiana | ICDPA | Jan 2026 | 100K consumers |
| Kentucky | KCDPA | Jan 2026 | 100K consumers |
| Rhode Island | RIDTPPA | Jan 2026 | 35K consumers |
Notable: Texas has no minimum revenue threshold, making it applicable to far more businesses. Rhode Island offers no cure period - violations can trigger immediate enforcement. Twelve states now require recognition of Universal Opt-Out Mechanisms (like Global Privacy Control).
Not sure which laws apply to you?
Answer 7 questions. Get your personalized compliance report in under 2 minutes. Free, no signup.
Check My Compliance Now →Key International Laws
GDPR - Still the most consequential global privacy law. Applies to any business processing EU residents' data, regardless of location. Fines: up to 4% of global revenue or €20M.
EU AI Act - The biggest 2026 development. If you deploy AI in customer-facing contexts (chatbots, hiring, credit), this likely applies. Major enforcement begins August 2026.
India DPDP - Phased rollout through 2026. Consent manager registration by November 2026. Penalties up to ~$30M.
Brazil LGPD - Fully mature enforcement. Up to 2% of revenue (max R$50M per infraction).
What Determines Which Laws Apply to You
Six factors determine your exposure: where your business is located, where your customers are, how many consumers' data you process, your annual revenue, what you do with the data (selling, targeting, AI), and your industry (HIPAA/GLBA exemptions exist in some but not all states).
7 Compliance Steps Every Business Needs
1. Audit your data collection - document what you collect, where it's stored, who has access.
2. Update your privacy policy - reference every applicable jurisdiction with required disclosures.
3. Build consumer rights workflows - handle access, deletion, and opt-out requests within 30–45 days.
4. Conduct data protection assessments - required for targeted ads, data sales, profiling, sensitive data.
5. Set up breach notification - meet the shortest applicable deadline (72 hours for GDPR).
6. Review vendor agreements - update DPAs with all data processors.
7. Honor opt-out signals - implement Global Privacy Control recognition.
Not sure which laws apply to you?
Answer 7 questions. Get your personalized compliance report in under 2 minutes. Free, no signup.
Check My Compliance Now →Cybersecurity professionals building free privacy tools for the 2026 compliance landscape.