TL;DR: With no federal privacy law, states are creating their own. Over 20 states now have comprehensive privacy laws, with more taking effect in 2025-2026. Common rights include access, deletion, and opt-out of data sales. Children's protections are expanding rapidly—Virginia now limits under-16s to one hour on social media without parental consent. Biometric data gets special protection in Colorado. Your rights vary dramatically based on your state. This guide covers what's in effect, what's coming, and what you can do.
The Privacy Law Landscape
The United States lacks a comprehensive federal privacy law. Instead, protection depends on:[1]
- State comprehensive privacy laws — Growing rapidly; 20+ states by 2026
- Sector-specific federal laws — HIPAA (health), COPPA (children), GLBA (financial)
- State-specific biometric laws — Illinois BIPA, Texas, Washington
- State data breach notification laws — All 50 states
The result is a patchwork where your privacy rights depend significantly on geography.
Laws Effective Now (January 2026)
California (CCPA/CPRA)
Strongest state law. Right to know, delete, correct. Opt-out of sale/sharing. Dedicated enforcement agency.
Virginia (VCDPA)
Access, delete, correct, opt-out. Now includes children's protections and 1-hour social media limit for under-16s (2026).
Colorado (CPA)
Consumer rights + biometric protections + minors' online safety. AI Act coming June 2026.
Connecticut (CTDPA)
Similar to Virginia model. Includes minors' protections.
Utah (UCPA)
More business-friendly version. Basic consumer rights.
Iowa, Indiana, Tennessee, Montana, Texas, Oregon, Delaware...
Additional states with comprehensive laws now in effect or taking effect in 2025.
Virginia Deep Dive: VCDPA Updates
Virginia's law has evolved significantly:[2]
Children's Privacy (Effective January 2025)
- Parental consent required before processing data of children under 13
- Cannot target children with advertising or sell their data without consent
- Collecting precise geolocation from children prohibited unless necessary
Reproductive Health (Effective July 2025)
- Prohibits collection, disclosure, or sale of reproductive/sexual health information without consent
Social Media Limits (Effective January 2026)
- Platforms must use "commercially reasonable methods" to determine if users are under 16
- Under-16 users limited to one hour per day by default
- Parents can provide verifiable consent to adjust limits
Colorado Deep Dive: CPA Updates
Colorado's approach layers multiple protections:[3]
Biometric Protections (Effective July 2025)
- Expanded definition of regulated biometric data
- Notice and consent requirements for collection
- Applies regardless of standard CPA thresholds
Minors' Online Safety (Effective October 2025)
- Age of protection raised from 13 to 18
- Affirmative consent required from minors for targeted advertising or data sales
- Consent needed before implementing "addictive" design features
- Right to cure period for businesses until December 31, 2026
AI Act (Effective June 2026)
- Transparency requirements for high-risk AI systems
- Algorithmic impact assessments
- Prevention of algorithmic discrimination
New Laws Taking Effect in 2026
States with comprehensive privacy laws becoming effective:[4]
- Indiana: January 1, 2026
- Kentucky: January 1, 2026
- Rhode Island: January 1, 2026
- Nebraska: January 1, 2026
- New Hampshire: January 1, 2026
- New Jersey: January 15, 2026
- Maryland: October 1, 2025 (some provisions 2026)
Each follows similar frameworks with variations in thresholds, enforcement, and specific protections.
Common Rights Across Laws
Most comprehensive state privacy laws include:
Right to Know
Access what personal data a company has collected about you and how it's used.
Right to Delete
Request deletion of your personal data (with some exceptions).
Right to Correct
Fix inaccurate personal information.
Right to Opt Out
Opt out of sale of data, targeted advertising, and profiling.
Right to Portability
Obtain a copy of your data in usable format.
Non-Discrimination
Can't be penalized for exercising privacy rights.
Key Differences Between States
- Thresholds: Who must comply varies (100,000 consumers, revenue from data sales, etc.)
- Private right of action: Most states don't allow individual lawsuits (California and some exceptions)
- Right to cure: Some states require businesses get warning before enforcement
- Sensitive data: Definitions of "sensitive" data vary (biometric, health, precise location)
- Universal opt-out: Some states recognize browser-based Global Privacy Control
- Children's age: Protection ages range from 13 to 18 depending on state and provision
How to Exercise Your Rights
- Identify your state's law: Check if your state has comprehensive privacy legislation
- Find the privacy request portal: Companies must provide ways to submit requests (usually in privacy policy footer)
- Submit access request: Ask for a copy of all data collected about you
- Review what's collected: Examine the response to understand data collection scope
- Submit deletion request: Request removal of data you don't want retained
- Opt out of sale/sharing: Use opt-out rights for advertising and data broker sales
- Enable Global Privacy Control: Browser setting that signals opt-out preferences automatically
- Document everything: Keep records of requests and responses for potential complaints
Enforcement Reality
Enforcement varies significantly:
- California: Dedicated California Privacy Protection Agency with active enforcement
- Other states: Enforcement by state Attorney General offices with limited resources
- Complaints: Filing complaints can prompt investigation but individual resolution is rare
- Private lawsuits: Generally not available except for data breaches in some states
Aggressive enforcement is anticipated in 2026 as laws mature and AGs gain experience.
The Federal Gap
Why no federal privacy law?
- Preemption debate: Should federal law override state laws? States want to keep stronger protections
- Private right of action: Business lobby opposes allowing individuals to sue
- Partisan differences: Disagreement on enforcement mechanisms and scope
- Tech lobby: Industry prefers weak federal law that preempts strong state laws
The American Privacy Rights Act came close in 2024 but didn't pass. Similar efforts continue in 2026.
The Bottom Line
Your privacy rights depend on your zip code—a fundamentally arbitrary distinction. California residents have far stronger protections than those in states without comprehensive laws.
The good news: the trend is toward more protection. Over 20 states now have privacy laws, with children's protections expanding rapidly. Virginia's social media time limits and Colorado's AI governance show states pushing beyond baseline protections.
The bad news: enforcement is uneven, most states don't allow private lawsuits, and companies often comply minimally. Exercising your rights requires effort.
Know your state's law. Submit access and deletion requests. Enable Global Privacy Control. And advocate for comprehensive federal legislation that sets a strong floor for all Americans.