20 State Privacy Laws 2026 - Mandatly

How Many US States Now Have Privacy Laws?

As of March 2026, 20 comprehensive state privacy laws are either in effect or taking effect this year, creating the most complex privacy compliance landscape in US history. Organizations operating across state lines now face a patchwork of requirements that demand sophisticated, multi-jurisdictional compliance programs.

Which States Have New or Updated Privacy Laws in 2026?

The wave includes both entirely new privacy statutes and significant amendments to existing laws:

  • California: Expanded data broker registration requirements with more detailed disclosures and streamlined deletion request processing; new consumer health data privacy protections
  • New York & Vermont: Age-appropriate design laws with staggered effective dates extending into 2026-2027
  • Maine: LD 1822 (Maine Online Data Privacy Act) passed the Senate — one of the strictest bills in the country, mirroring Maryland’s 2024 law
  • Virginia & Utah: Legislatures passed amendments to their existing consumer data privacy laws
  • Multiple states: AI-specific provisions applying existing privacy requirements to data collected or processed for AI systems

What Are the Key Compliance Challenges?

The proliferation of state-level privacy laws creates several critical challenges for organizations:

Data Mapping and Classification

  • Each state defines “personal information” slightly differently
  • Some states have expanded definitions covering biometric data, geolocation, and AI training data
  • Organizations need to know which data elements trigger obligations in which states

Consumer Rights Variations

  • Rights to access, delete, correct, and port data vary by state
  • Opt-out mechanisms differ (some require universal opt-out recognition)
  • Response timelines range from 15 to 45 days depending on jurisdiction

AI and Biometric Data Provisions

  • Several states now apply privacy requirements to data collected for AI systems
  • Biometric consent requirements vary significantly (Illinois BIPA remains the strictest)
  • Some states clarify when consent to biometric capture is deemed given

Timeline of Key 2026 Effective Dates

Date State/Law Key Provision
Jan 1, 2026 Multiple states New comprehensive privacy laws take effect
Q1 2026 Maine (LD 1822) Senate passed; awaiting House/Governor
Jun 30, 2026 Colorado AI Act High-risk AI system obligations begin
Aug 2, 2026 EU AI Act High-risk system requirements enforceable

Key Takeaway

US privacy compliance in 2026 requires governance programs that can absorb amendments, ancillary laws, and AI-specific obligations without fragmenting. Organizations should invest in automated compliance platforms, centralized data mapping, and modular privacy programs that can adapt as new states enact or update their laws.

Final Thoughts

The patchwork of state privacy laws continues to grow more complex. Without a comprehensive federal privacy law, businesses must navigate an increasingly fragmented landscape. The best approach: build a compliance baseline around the strictest requirements (California, Maryland, and now potentially Maine), then adapt downward for less restrictive states.

Sources and Credits

This article was researched and generated with the assistance of AI technology. While we strive for accuracy, readers should verify critical information with official legal sources and consult qualified legal professionals for specific compliance guidance.