The United States has no full federal privacy law, but state privacy legislation is rapidly filling the vacuum. In 2026 alone, four states implement significant new privacy protections—and understanding your rights matters more than ever. The State Privacy Law Explosion Current Landscape (as of April 2026) Status / Number of States Full privacy laws enacted / 20+ Laws effective in 2026 / 4 (Indiana, Kentucky, Rhode Island, Connecticut AI) Full bills pending / 10+ California Delete Act enforcement / Active How State Privacy Laws Work Most state privacy laws share common elements: Consumer Rights: Access, deletion, correction, portability Opt-Out: Right to opt out of data sales Purpose Limitation: Data used only for stated purposes Security Requirements: Reasonable security measures Enforcement: Attorney general or dedicated agency 2026: New Laws Taking Effect Indiana Consumer Privacy Act (Effective January 1, 2026) Key Provisions: Right to know what data is collected Right to delete personal data Right to correct inaccuracies Right to data portability Right to opt out of data sales Right to opt out of profiling Coverage Threshold: Processes data of 100,000+ consumers, OR Processes data of 25,000+ consumers AND derives 50%+ revenue from data sales What It Doesn't Cover: HIPAA-covered health information Financial information covered by GLBA Data used for employment purposes Non-profits, government entities Kentucky Consumer Data Protection Act (Effective January 1, 2026) Similar to Indiana, with Kentucky-specific provisions: 90-day cure period for violations Private right of action for data breaches Specific requirements for sensitive data (racial/ethnic origin, biometric data, health data, children's data) Rhode Island Data Transparency and Privacy Protection Act (Effective January 1, 2026) Rhode Island's approach includes: Enhanced requirements for sensitive data Specific provisions for children's privacy Stronger consent requirements Expanded definition of personal data Connecticut AI Training Data Disclosure (Effective July 1, 2026) Connecticut leads with AI-specific requirements: Required disclosure of training data sources Consumer rights regarding AI decisions Bias assessment requirements Human review mandates for consequential AI decisions California: The Delete Act in Action California's Delete Act The California Privacy Protection Agency (CPPA) has begun enforcing the Delete Act, which creates: Centralized opt-out mechanism: One request to delete from all data brokers Mandatory registration: All data brokers must register with the state Deletion timelines: 45 days to comply Verification standards: Reasonable verification of consumer identity Taking Action Now California residents can: Submit a single deletion request through CPPA's portal Request access to all data held by businesses Opt out of "sharing" (broader than "selling") Limit use of sensitive personal information Correct inaccurate personal information The California Privacy Rights Act (CPRA) CPRA provisions still active: Purpose limitation requirements Data minimization principles Storage limitation rules Risk assessment requirements Minnesota's Robust Privacy Law Effective Date: August 1, 2025 (now fully active) Minnesota passed one of the most full state privacy laws: Feature / Minnesota Standard Consumer rights / Access, deletion, correction, portability, opt-out Sensitive data / Explicit consent required Data protection assessments / Required for high-risk processing Private right of action / For data breaches only Cure period / 30 days (shortest) Enforcement / AG only (no private right of action) Minnesota's Unique Provisions Broad definition of sale: Includes "sharing" for valuable consideration Strong sensitive data protections: Biometric, health, precise location require opt-in Risk assessment requirements: Detailed requirements for high-risk processing Algorithm accountability: Requirements for automated decision-making Comparing Major State Laws Rights Comparison Right / California / Virginia / Colorado / Texas / Indiana / Minnesota Access / Yes / Yes / Yes / Yes / Yes / Yes Deletion / Yes / Yes / Yes / Yes / Yes / Yes Correction / Yes / Yes / Yes / Yes / Yes / Yes Portability / Yes / Yes / Yes / Yes / Yes / Yes Opt-out of sale / Yes / Yes / Yes / Yes / Yes / Yes Opt-out of profiling / Yes / Yes / Yes / Yes / Yes / Yes Sensitive limits / Yes / No / Yes / No / No / Yes Coverage Thresholds State / Consumer Threshold / Revenue Threshold California / 100,000 / $25M revenue OR 50% from data Virginia / 100,000 / $25M revenue Colorado / 100,000 / $25M revenue Texas / 100,000 / 50% revenue OR 25M consumers Indiana / 100,000 / 50% revenue OR 25K consumers Minnesota / 10,000\ / $25M revenue\ \Minnesota has lower thresholds, covering more small businesses. What These Laws Actually Protect Covered Information Most state laws protect: Identifiers (name, email, SSN, IP address) Commercial information (purchases, records) Internet activity (browsing, app usage) Geolocation data Biometric information Audio/video recordings Sensory data Inferences drawn from any above What's NOT Covered Typically excluded: HIPAA-covered health information Financial information under GLBA Consumer reports under FCRA Education records under FERPA Data maintained for legal compliance De-identified or aggregated data How to Exercise Your Rights Step-by-Step Process Identify covered businesses: Check if company meets threshold Submit request: Most have dedicated webforms Verify identity: Companies must verify reasonable requests Wait for response: Typically 45 days (extended to 90 in some cases) Appeal if denied: Many allow internal appeals Tips for Effective Requests Be specific about what you want (access vs. deletion vs. opt-out) Provide account information if available Request confirmation in writing Document all communications Follow up if no response What Businesses Must Do Under most state laws, businesses must: Respond to requests within 45 days Not discriminate against consumers exercising rights Provide mechanisms for requests (at least 2, typically web + phone) honor universal opt-out signals (GPC) Provide necessary privacy notices The Enforcement Reality How Laws Are Enforced State / Enforcement Body / Penalty Structure California / CPPA, AG / $2,500-$7,500 per violation Virginia / AG only / Up to $7,500 per violation Colorado / AG only / Up to $20,000 per violation Texas / AG only / Up to $25,000 per violation Indiana / AG only / Up to $7,500 per violation Minnesota / AG only / Up to $10,000 per violation Private Rights of Action Most state laws do NOT provide private rights of action (lawsuit rights for individuals), EXCEPT: Minnesota: For data breaches Rhode Island: For certain violations Some laws via breach notification provisions Conclusion: Know Your Rights State privacy laws are multiplying, but their effectiveness depends on: Active enforcement: AG offices vary in priority Consumer awareness: Rights don't matter if people don't know them Business compliance: Some companies drag their feet Regulatory development: Rules are still being written the best strategy is: Know your state's laws and their effective dates Exercise your rights regularly Support strong privacy legislation Use privacy tools that work across state lines Advocate for federal privacy** that preempts weak state laws The privacy landscape is changing rapidly. Stay informed, stay aware, and take control of your personal information. --- _Privacy laws are complex and vary significantly. Consult a privacy attorney for advice on specific situations._