As of 2026, twenty states have comprehensive data privacy laws in effect, following the January 1, 2026 activation of new laws in Indiana, Kentucky, and Rhode Island, according to multiple legal tracking services including MultiState and Forbes. With no comprehensive federal privacy law, and no significant congressional movement toward one expected under the current administration's priorities, states have filled the gap entirely on their own, creating what legal analysts consistently describe as a genuinely complex, overlapping patchwork for any business operating across state lines.
This started with California's Consumer Privacy Act, the first comprehensive state privacy law, later strengthened by the California Privacy Rights Act. Virginia became the second state to adopt a comprehensive law, and the model has since spread steadily: Indiana became the seventh state, Kentucky the eighth, in this ongoing wave.
Eight states, Delaware, Iowa, Maryland, Minnesota, Nebraska, New Hampshire, New Jersey, and Tennessee, enacted new comprehensive privacy laws specifically in 2025. But notably, according to Smith Law's 2026 analysis, 2025 also marked the first year in five years where new comprehensive state privacy legislation leveled out entirely, no genuinely new laws were passed that year beyond the ones already enacted; states instead shifted focus toward refining, amending, and, critically, actually enforcing their existing laws.
That enforcement shift produced real, concrete consequences: in July 2025, the California Attorney General's office reached a $1.55 million settlement, the largest to date under the CCPA, with an online health information publisher, a clear signal that established state privacy laws are moving from a compliance-on-paper phase into genuine active enforcement.
Nine states (10 individual regulators) have joined the Consortium of Privacy Regulators, a bipartisan initiative formed to coordinate consumer privacy protection efforts across different state jurisdictions. This represents a notable, if informal, response to the lack of federal coordination, states voluntarily aligning enforcement approaches with each other rather than waiting for Congress to create a single national standard.
Privacy advocates generally argue the current state-by-state patchwork, while imperfect, has produced genuinely meaningful consumer protections faster than waiting for federal action would have, and view continued state enforcement growth (like the CCPA's record settlement) as evidence these laws have real teeth. Business and compliance-focused critics generally argue that operating under 20 different, non-uniform state requirements imposes substantial, duplicative compliance costs, particularly on smaller companies operating nationally, and argue a single federal standard would better serve both businesses and consumers by replacing the current fragmented approach with one clear national rule. Both sides broadly agree federal comprehensive privacy legislation remains genuinely unlikely in the near term given current congressional priorities, meaning the practical question for now isn't whether federal preemption happens soon, but how the state patchwork itself continues to evolve.
Want the core arguments from both sides, side by side?
See the Left vs. Right Breakdown on Data Privacy Legislation →