New Privacy Laws 2026: What Your Website Needs to Do Right Now

The Privacy Law Explosion

When California's CCPA took effect in January 2020, it was a shock to the system for most US-based websites. A single state had unilaterally created privacy obligations that applied to anyone doing business there — which, given California's 39 million residents and its outsized share of US internet traffic, meant nearly every website of any size.

What followed was not a federal response. Congress has debated a national privacy law for years without passing one. Instead, other states looked at California and started passing their own laws. Virginia in 2023. Colorado and Connecticut the same year. Utah shortly after. Then came a flood: Montana, Texas, Iowa, New Hampshire, New Jersey, Nebraska, Delaware, Minnesota, and Maryland — all signed into law and now in effect. Kentucky, Indiana, and Rhode Island joined them on January 1, 2026.

As of May 2026, 17 US states have comprehensive consumer privacy laws in force. That is not a niche compliance concern for large enterprises. If your website collects any data from US visitors — and it almost certainly does — you need to know which of these laws applies to you, what they require, and whether your privacy policy actually covers them.

The short version: if your privacy policy was last updated in 2022 or earlier, it is out of compliance. Not maybe. Not possibly. It is missing legal requirements that are now in force in states covering well over half the US population.

The Complete US State Privacy Law Map (as of May 2026)

Rows highlighted in purple are the 2026 additions effective January 1, 2026.

Deep Dive: The 2026 New Laws

Kentucky Consumer Data Protection Act (KCDPA) — Effective January 1, 2026

Kentucky's KCDPA closely follows the Virginia VCDPA template that has become the de facto model for most state privacy laws. It applies to any business that controls or processes personal data of 100,000 or more Kentucky consumers during a calendar year, or that processes data of 25,000 or more consumers and derives more than 50% of gross revenue from the sale of personal data.

Consumer rights under the KCDPA include the right to access their personal data, the right to deletion, the right to correction of inaccurate data, the right to data portability (receiving their data in a structured, commonly used format), the right to opt out of targeted advertising, and the right to opt out of profiling that produces legal or similarly significant effects.

Your privacy policy must disclose the categories of personal data you collect, the purposes for which data is processed, any third parties with whom data is shared, and clear instructions for how consumers can exercise each of the above rights. Businesses have 45 days to respond to consumer requests, with a 45-day extension available if necessary.

One notable feature of the KCDPA: there is no private right of action. Only the Kentucky Attorney General can bring enforcement actions. Civil penalties can reach $7,500 per violation. Businesses also receive a 30-day right to cure before the AG can initiate enforcement, giving you a window to fix non-compliant practices if notified. But do not treat the cure period as a reason to delay — AGs in other states have been active, and enforcement resources are growing across the country.

For privacy policy purposes, the practical requirement is that you list Kentucky alongside other applicable states in your consumer rights section and ensure your opt-out mechanisms function correctly for Kentucky residents.

Indiana Consumer Data Protection Act (ICDPA) — Effective January 1, 2026

Indiana's ICDPA is perhaps the most Virginia-like of the 2026 arrivals. The structure, definitions, and consumer rights framework are nearly identical to the VCDPA. The thresholds are the same: 100,000 consumers annually, or 25,000 consumers combined with more than 50% revenue from data sales.

Consumer rights mirror those in Virginia: access, correction, deletion, portability, and opt-out of targeted advertising and certain forms of profiling. Controllers must respond to verified consumer requests within 45 days. Unlike some states, Indiana explicitly requires controllers to conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities. High-risk activities under Indiana law include processing for targeted advertising, selling personal data, profiling that presents reasonably foreseeable risks of harm, processing sensitive data, and processing data of children.

The DPIA requirement is significant even if it is not reflected on your public-facing privacy policy — it is an internal compliance step your organization must take. Your privacy policy should, however, disclose whether you engage in any of these high-risk activities.

One genuinely notable aspect of Indiana's law: businesses have a full 30-day cure period after receiving notice of a violation before the Attorney General can pursue enforcement. This is more generous than California, which eliminated the cure period entirely. Indiana AG enforcement carries civil penalties up to $7,500 per violation. No private right of action exists.

For multi-state compliance, Indiana's requirements are fully covered by a well-drafted privacy policy that already addresses Virginia, Colorado, and Connecticut. If you have been keeping up with those three, Indiana does not add meaningfully new obligations to your policy text — though you should explicitly name Indiana in your applicable-states section.

Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) — Effective January 1, 2026

Rhode Island's RIDTPPA stands out from the 2026 pack for two reasons: its lower consumer threshold and its particularly strong data minimization requirements. The law applies to any person that conducts business in Rhode Island or produces products or services targeted to Rhode Island residents, and that either processes data of 35,000 or more consumers annually, or processes data of 10,000 or more consumers and derives more than 20% of revenue from data sales.

That 35,000 consumer threshold is meaningfully lower than the 100,000 used by most states — putting Rhode Island alongside New Hampshire, Delaware, and Maryland as laws that apply to much smaller operations. If your website has any meaningful national traffic, you almost certainly process data from more than 35,000 people per year between all sources.

Rhode Island's data minimization requirement is one of the strongest in US state law. Controllers are prohibited from collecting personal data beyond what is reasonably necessary and proportionate to the purposes disclosed in the privacy notice. This is not just a policy disclosure obligation — it requires you to actually limit your data collection practices, not merely describe them.

Privacy notices under the RIDTPPA must be clear, accessible, and updated within 30 days of any material change to your data practices. That 30-day update requirement is stricter than most state laws, which leave update timing to the controller's discretion. Consumer rights include access, correction, deletion, portability, and opt-out of targeted advertising, profiling, and data sales. Businesses must respond to requests within 45 days.

Does Your Website Need to Comply?

The "100K consumers" threshold — what it actually means

The most common misreading of state privacy law thresholds is treating "consumers" as if it means "paying customers." It does not. In the context of privacy law, "processing" personal data means any operation performed on data: collection, storage, use, disclosure, or deletion. If a visitor lands on your website and Google Analytics fires, you have processed their data.

The 100,000 consumer threshold refers to the number of individuals whose personal data you process in a calendar year — not the number of purchases, accounts, or subscribers. For a website with any meaningful traffic, 100,000 is not a high bar. A site getting 300 unique visitors per day processes data from more than 100,000 consumers annually. A basic analytics setup, a contact form, and a newsletter signup are enough to establish that you are processing data, even if you never sell anything or collect a payment.

The practical implication: if you have a functioning website with any third-party analytics, forms, or email capture, you are almost certainly above the 100,000 consumer threshold in aggregate across states. Whether any single state's law applies depends on what share of your visitors come from that state — but given the size of states like California, Texas, Virginia, and New York, the odds are high that several apply to you.

The "conducts business in X state" test

Texas is not the only state where the jurisdictional test matters as much as the threshold. Most state laws apply to any entity that "conducts business" in the state or "produces products or services that are targeted to" residents of the state. For an online business, "targeted to" residents of a state typically means your website is accessible to them and you actively process their data — which is true of virtually every public website.

Rhode Island, New Hampshire, Delaware, and Maryland all have lower thresholds (35,000 consumers in some cases). A mid-size blog or SaaS tool with 10,000 monthly visitors would exceed 35,000 processed consumers in a year without any difficulty. Do not assume that a small or medium-sized site is too small to qualify.

Does your website need to update its privacy policy for 2026 laws?

What Your Privacy Policy Must Now Include (2026 Update)

The post-2025 wave of state privacy laws has converged on a fairly consistent set of required disclosures. A privacy policy that covers all 17 active state laws must address the following:

Categories of personal data collected. You must disclose what types of data you collect — not a vague catch-all, but actual categories. Identifiers (name, email, IP address), usage data (pages visited, time on site), device data, location data, payment information, communication content. List what you actually collect.

Purposes for collection and processing. For each category of data, state why you collect it. Analytics. Customer service. Order fulfillment. Marketing. You must disclose the purpose at or before the time of collection.

Third parties data is shared with. The 2026 laws, particularly Rhode Island and Maryland, require meaningful disclosure of third-party sharing — not just "we may share with service providers." Name or specifically categorize the types of third parties: analytics providers (Google Analytics), email service providers (Mailchimp), payment processors (Stripe), advertising platforms (Google Ads, Meta Pixel). The more specific the better, and several states now push toward disclosure by name.

Data retention periods. This is one of the most commonly missing elements from US privacy policies. You must state how long you retain each category of data, or the criteria you use to determine retention. "We retain data for as long as necessary" is not sufficient. Say how long: account data is retained for the duration of the account plus 30 days; email subscriber data is retained until unsubscribe plus 12 months; analytics data is retained for 26 months.

Consumer rights and how to exercise them. For each applicable state, list the rights that consumers in that state have. At minimum under the 2026 laws: right to access, right to correction, right to deletion, right to portability, right to opt out of targeted advertising, right to opt out of profiling. Provide a specific email address or web form for submitting requests — not just a general contact address.

Whether data is sold or shared for targeted advertising. All active state laws require explicit disclosure if you sell personal data or share it for targeted advertising purposes. If you run Google Ads or Meta Pixel on your site, you are almost certainly sharing data for targeted advertising. You must disclose this and provide an opt-out mechanism.

Opt-out mechanisms for targeted advertising and profiling. The disclosure is not enough — you must actually provide a way for consumers to opt out. This is typically a "Do Not Sell or Share My Personal Information" link (required by California) or a general "Opt Out of Targeted Advertising" mechanism. Several states now require this link to be easily accessible from your homepage or footer, not buried in the policy text.

Response timeframes. All active state laws specify how quickly you must respond to consumer rights requests. The standard is 45 days, with an optional 45-day extension if you notify the consumer. Some states (Iowa) have a 90-day window. California has a 45-day window. Disclose the timeframe you commit to and honor it.

Appeal process for denied requests. This is required by Virginia, Colorado, Connecticut, and most of the 2025-2026 laws. If you deny a consumer's rights request, they must have a way to appeal. Describe the appeal process in your policy: how to submit an appeal, how long you will take to respond, and what happens if the appeal is also denied (in some states, consumers can then escalate to the AG).

Your contact information for privacy requests. A dedicated email address ([email protected]) or web form. Not a generic info@ address. Many states require that privacy requests be processable through a toll-free number or online mechanism for larger businesses.

The 5 Things Most Privacy Policies Are Missing Right Now

After reviewing hundreds of privacy policies from websites of all sizes, these are the five gaps that appear most consistently in policies that were last updated before 2024:

1. Data retention periods. Almost universally missing from US-drafted policies, even though GDPR has required them since 2018 and several US state laws now expect them. You need to state, for each category of data, how long you keep it and why. Vague language about "as long as necessary" does not satisfy any of the 2026 laws.

2. Consumer rights for all applicable states. Most older privacy policies mention California (CCPA) and nothing else. A policy that only covers California is now dramatically incomplete. You need sections covering Virginia, Colorado, Texas, and all applicable 2025-2026 states — ideally in jurisdiction-labeled sections that consumers can easily navigate.

3. A functional opt-out mechanism for targeted advertising. Not just a disclosure that you use advertising — an actual mechanism for users to opt out. Many sites have added a "Do Not Sell My Personal Information" link that satisfies the letter of the California law but fails to address the opt-out requirements of the newer states, which often require broader "Do Not Sell or Share" language covering targeted advertising regardless of whether a direct sale occurs.

4. Third-party data sharing disclosure with sufficient specificity. "We share with third-party service providers" is not a disclosure. Name them, or at minimum categorize them with enough detail that a consumer understands who has their data: analytics providers, advertising networks, cloud infrastructure providers, payment processors, customer support tools.

5. AI-related disclosures. If your website uses any AI tools that process user data — AI chat widgets, AI-powered search, AI content generation tools, or AI customer service bots — you must disclose this. Several states are moving toward explicit AI-in-privacy-policy requirements, and the GDPR already requires disclosure of automated decision-making. This is the fastest-growing gap in current privacy policies and the one most likely to become a major enforcement area in the next two years.

EU Updates: What Changed in 2025-2026

If you have any EU website visitors, the GDPR remains the most demanding privacy framework in the world, and enforcement has accelerated sharply. Data protection authorities across the EU issued over €1.5 billion in GDPR fines in 2023 alone, with major actions against Meta, TikTok, and LinkedIn. The enforcement focus has shifted toward consent validity — specifically, whether cookie consent mechanisms and opt-in flows actually meet the GDPR's standard of freely given, specific, informed, and unambiguous consent.

The EU AI Act, which began phasing in during 2024 and 2025, creates new disclosure obligations relevant to privacy policies. If your site uses AI systems to process user data — including AI chat, AI recommendations, or automated profiling — you may need to add AI Act disclosures about the nature of the AI system, its purpose, and the data it processes. The highest-risk AI systems face the most stringent requirements, but even general-purpose AI tools used to interact with consumers require transparency.

The ePrivacy Regulation, which would replace the current ePrivacy Directive and create stricter cookie rules, remains pending in the EU legislative process as of May 2026. Do not count on it resolving soon. Current cookie compliance obligations are governed by each EU member state's implementation of the ePrivacy Directive, which means variation across the EU and continued enforcement through national DPAs.

For a site with EU visitors, your privacy policy needs GDPR-specific sections covering your legal basis for processing each category of data, your DPO's contact information if applicable, your data retention schedules, cross-border transfer mechanisms, and the full set of EU data subject rights. A combined US+EU privacy policy covering all applicable frameworks is the practical solution for most internationally-trafficked sites. You can generate one that covers both using the FreeTOS GDPR privacy policy generator.

Your Free 2026 Privacy Policy Compliance Checklist

Use this checklist to audit your current privacy policy against the 2026 requirements. Every item that is unchecked is a compliance gap.

If you checked fewer than 8 of the 10 items, your privacy policy needs a significant update. If you are starting from scratch or your current policy is more than two years old, generating a new one is faster than trying to patch the gaps. The FreeTOS privacy policy generator covers all active US state laws and GDPR in a single policy. The CCPA-specific generator is available if you need California-focused coverage. For businesses that process data on behalf of other businesses, a data processing agreement is a separate but related requirement under GDPR and several US state laws.

For deeper background on the GDPR framework that underlies much of what US state laws are now adopting, read What Is GDPR? A Plain-English Explanation. For the California-specific context that started the US state law wave, see our guide on What Is CCPA and Who Does It Apply To.

Frequently Asked Questions