
How Many US States Now Have Privacy Laws?
As of March 2026, 20 comprehensive state privacy laws are either in effect or taking effect this year, creating the most complex privacy compliance landscape in US history. Organizations operating across state lines now face a patchwork of requirements that demand sophisticated, multi-jurisdictional compliance programs.
Which States Have New or Updated Privacy Laws in 2026?
The wave includes both entirely new privacy statutes and significant amendments to existing laws:
- California: Expanded data broker registration requirements with more detailed disclosures and streamlined deletion request processing; new consumer health data privacy protections
- New York & Vermont: Age-appropriate design laws with staggered effective dates extending into 2026-2027
- Maine: LD 1822 (Maine Online Data Privacy Act) passed the Senate — one of the strictest bills in the country, mirroring Maryland’s 2024 law
- Virginia & Utah: Legislatures passed amendments to their existing consumer data privacy laws
- Multiple states: AI-specific provisions applying existing privacy requirements to data collected or processed for AI systems
What Are the Key Compliance Challenges?
The proliferation of state-level privacy laws creates several critical challenges for organizations:
Data Mapping and Classification
- Each state defines “personal information” slightly differently
- Some states have expanded definitions covering biometric data, geolocation, and AI training data
- Organizations need to know which data elements trigger obligations in which states
Consumer Rights Variations
- Rights to access, delete, correct, and port data vary by state
- Opt-out mechanisms differ (some require universal opt-out recognition)
- Response timelines range from 15 to 45 days depending on jurisdiction
AI and Biometric Data Provisions
- Several states now apply privacy requirements to data collected for AI systems
- Biometric consent requirements vary significantly (Illinois BIPA remains the strictest)
- Some states clarify when consent to biometric capture is deemed given
Timeline of Key 2026 Effective Dates
| Date | State/Law | Key Provision |
|---|---|---|
| Jan 1, 2026 | Multiple states | New comprehensive privacy laws take effect |
| Q1 2026 | Maine (LD 1822) | Senate passed; awaiting House/Governor |
| Jun 30, 2026 | Colorado AI Act | High-risk AI system obligations begin |
| Aug 2, 2026 | EU AI Act | High-risk system requirements enforceable |
Key Takeaway
US privacy compliance in 2026 requires governance programs that can absorb amendments, ancillary laws, and AI-specific obligations without fragmenting. Organizations should invest in automated compliance platforms, centralized data mapping, and modular privacy programs that can adapt as new states enact or update their laws.
Final Thoughts
The patchwork of state privacy laws continues to grow more complex. Without a comprehensive federal privacy law, businesses must navigate an increasingly fragmented landscape. The best approach: build a compliance baseline around the strictest requirements (California, Maryland, and now potentially Maine), then adapt downward for less restrictive states.
Sources and Credits
- MultiState — “20 State Privacy Laws in Effect in 2026: Key Dates & Changes” (Updated March 2026)
- Troutman Pepper — “Proposed State Privacy Law Update: March 9, 2026”
- Spectrum Local News — “Mills not happy with carveout in data privacy bill” (March 11, 2026)
This article was researched and generated with the assistance of AI technology. While we strive for accuracy, readers should verify critical information with official legal sources and consult qualified legal professionals for specific compliance guidance.