5050 Fifty Fifty Politics ← Go to Homepage
Technology

20 States Now Have Comprehensive Privacy Laws. Congress Still Has None.

Fifty Fifty Politics · Background & Data
With no federal data privacy law on the horizon, states have built an increasingly detailed, and increasingly enforced, patchwork of their own. This piece covers the real numbers: how many states now have comprehensive privacy laws, what's actually changed in 2026's new requirements, and why 2025 marked a genuine shift from passing new laws toward enforcing existing ones.

Twenty states, zero federal law: this is genuinely the current reality

As of 2026, twenty states have comprehensive data privacy laws in effect, following the January 1, 2026 activation of new laws in Indiana, Kentucky, and Rhode Island, according to multiple legal tracking services including MultiState and Forbes. With no comprehensive federal privacy law, and no significant congressional movement toward one expected under the current administration's priorities, states have filled the gap entirely on their own, creating what legal analysts consistently describe as a genuinely complex, overlapping patchwork for any business operating across state lines.

This started with California's Consumer Privacy Act, the first comprehensive state privacy law, later strengthened by the California Privacy Rights Act. Virginia became the second state to adopt a comprehensive law, and the model has since spread steadily: Indiana became the seventh state, Kentucky the eighth, in this ongoing wave.

States With Comprehensive Data Privacy Laws — Sources: MultiState and Bloomberg Law state privacy tracking, 2024-2026. States With Comprehensive Data Privacy Laws 9 states By end of 2024 20 states By 2026
Sources: MultiState and Bloomberg Law state privacy tracking, 2024-2026.

2025 was a genuine inflection point: legislative growth slowed, enforcement intensified

Eight states, Delaware, Iowa, Maryland, Minnesota, Nebraska, New Hampshire, New Jersey, and Tennessee, enacted new comprehensive privacy laws specifically in 2025. But notably, according to Smith Law's 2026 analysis, 2025 also marked the first year in five years where new comprehensive state privacy legislation leveled out entirely, no genuinely new laws were passed that year beyond the ones already enacted; states instead shifted focus toward refining, amending, and, critically, actually enforcing their existing laws.

That enforcement shift produced real, concrete consequences: in July 2025, the California Attorney General's office reached a $1.55 million settlement, the largest to date under the CCPA, with an online health information publisher, a clear signal that established state privacy laws are moving from a compliance-on-paper phase into genuine active enforcement.

2026 New Privacy Law Effective Dates — Source: MultiState, 20 State Privacy Laws in Effect in 2026. 2026 New Privacy Law Effective Dates Jan 1: Indiana, Kentucky, Rhode Island laws take effect Jul 1: Connecticut, Arkansas, Utah updates/new law effective Aug 1: California data broker rules expand Ongoing: 9 states amended existing laws in 2025 alone
Source: MultiState, 20 State Privacy Laws in Effect in 2026.

The specific new requirements taking effect are becoming meaningfully more detailed

States are starting to coordinate with each other, filling part of the federal gap informally

Nine states (10 individual regulators) have joined the Consortium of Privacy Regulators, a bipartisan initiative formed to coordinate consumer privacy protection efforts across different state jurisdictions. This represents a notable, if informal, response to the lack of federal coordination, states voluntarily aligning enforcement approaches with each other rather than waiting for Congress to create a single national standard.

The core disagreement

Privacy advocates generally argue the current state-by-state patchwork, while imperfect, has produced genuinely meaningful consumer protections faster than waiting for federal action would have, and view continued state enforcement growth (like the CCPA's record settlement) as evidence these laws have real teeth. Business and compliance-focused critics generally argue that operating under 20 different, non-uniform state requirements imposes substantial, duplicative compliance costs, particularly on smaller companies operating nationally, and argue a single federal standard would better serve both businesses and consumers by replacing the current fragmented approach with one clear national rule. Both sides broadly agree federal comprehensive privacy legislation remains genuinely unlikely in the near term given current congressional priorities, meaning the practical question for now isn't whether federal preemption happens soon, but how the state patchwork itself continues to evolve.

Want the core arguments from both sides, side by side?

See the Left vs. Right Breakdown on Data Privacy Legislation →
Sources
Browse All Blogs