secure-os.org
ENFRES
All guidesQubes OSTailsWhonixHardened LinuxDisk encryptionThreat model
privacy

US Data Privacy Laws in 2026: The State Patchwork Explained

secure-os· Updated June 18, 2026· 7 min read #privacy#data-protection#ccpa#us-law#consumer-rights
A wooden judge's gavel with a brass band resting on a round sound block on a wooden table

The United States is one of the few large economies without a single, comprehensive federal data privacy law. Instead, privacy in the US is a patchwork: a growing collection of state laws, each with its own scope, rights and exceptions. As more states pass their own statutes — with new ones taking effect through 2026 — it’s worth understanding what this actually means for you, and what you can do to protect your data without waiting for a law to catch up.

The short answer

  • There is no one US federal privacy law covering most consumers the way the EU’s GDPR does. A handful of federal laws cover specific sectors (health, finance, children online), but not personal data in general.
  • Instead, individual states have stepped in. California led with the CCPA (later strengthened by the CPRA), and many more states have since passed their own comprehensive privacy laws, with additional ones taking effect in 2026.
  • The result is a patchwork: your rights can depend heavily on which state you live in.
  • You don’t have to wait for legislation — most of your privacy is still in your own hands through tools and habits you control today.

A wooden judge's gavel with a brass band, resting on a round sound block on a wooden table — US data privacy is shaped largely through courts and a patchwork of state statutes rather than one federal law.

Why there’s no single federal law

For years, US lawmakers have debated a comprehensive federal privacy bill, but none has been enacted into a general consumer-privacy law. The federal rules that do exist are sector-specific — for example, laws addressing health information, financial data, and the online collection of data from children. They protect particular categories of information, not personal data across the board.

That gap is what state legislatures have been filling. Rather than one national standard, the US has ended up with state-by-state rules — which is exactly why people talk about a “patchwork.”

The state patchwork: CCPA and beyond

California was first to pass a broad consumer privacy law, the California Consumer Privacy Act (CCPA), later expanded by the California Privacy Rights Act (CPRA). Other states — including Virginia, Colorado, Connecticut, Utah and a growing list of others — have since enacted their own comprehensive privacy statutes, and more are coming into force in 2026.

These laws differ in their details (who counts as a covered business, what thresholds apply, how they’re enforced), but they tend to share a common backbone of consumer rights:

  • The right to know / access — find out what personal data a company holds about you and how it’s used.
  • The right to delete — ask a company to delete the personal data it has collected about you.
  • The right to correct — fix inaccurate personal data (in many of the newer laws).
  • The right to opt out of the “sale” or sharing of your personal data, and of certain targeted advertising.
  • The right to non-discrimination — you shouldn’t be penalised for exercising these rights.

The exact wording, definitions and exceptions vary by state, so the same request can play out differently depending on where you live and which law applies.

The United States Capitol in Washington, D.C., its white dome topped by a statue, with an American flag flying in front against a bright sky — federal privacy legislation has been debated here for years but not enacted as one comprehensive law, leaving the states to act.

What this actually changes for you

If you live in a state with a comprehensive privacy law, you generally have a path to see, correct, delete, and limit the sale/sharing of your data with covered companies — usually via a privacy request form or a “Do Not Sell or Share My Personal Information” link. That’s a real, useful lever.

But there are limits worth being honest about:

  • Coverage is uneven. If your state hasn’t passed a law, you may have far fewer statutory rights than a neighbour one state over.
  • Exemptions exist. Many laws carve out certain organisations, data types or business sizes.
  • You have to act. Rights like deletion and opt-out generally require you to make a request — they don’t happen automatically.
  • Enforcement varies. How aggressively a law is enforced, and by whom, differs from state to state.

In other words, the patchwork is a meaningful improvement over nothing — but it’s not a substitute for protecting your data yourself.

How to protect yourself without waiting for the law

Legislation moves slowly and unevenly. The good news is that the most effective privacy protections don’t depend on where you live — they depend on what you do:

  • Minimise what you share. The data a company never collects can’t be sold, leaked or subpoenaed. Give out less: fewer accounts, fewer real details, fewer permissions.
  • Use a private browser and block trackers. Much profiling happens silently through web trackers. A privacy-respecting browser cuts that off at the source. (See the best private browser options.)
  • Encrypt your data. Encryption keeps your files and messages readable only by you, regardless of who holds them. (See what is encryption.)
  • Control your DNS and network footprint. Your DNS lookups reveal the sites you visit; securing them — and masking your IP — limits passive profiling. (See secure DNS.)
  • Exercise the rights you do have. Where your state offers access, deletion and opt-out, use them — and consider opting out of data-broker listings.

The bottom line

The US privacy landscape in 2026 is a patchwork: no single federal law, a sector-specific federal floor, and a growing set of state laws — led by California’s CCPA/CPRA — that give consumers real rights to access, delete and opt out, but unevenly depending on geography. Knowing which rights you have where you live is worth it. But the most reliable protection is still the part you control: share less, encrypt more, and lock down your network and accounts today, rather than waiting for the law to reach you.

Frequently asked questions

Does the US have a federal data privacy law like GDPR?

No. The US has no single, comprehensive federal privacy law covering most personal data the way the EU’s GDPR does. There are federal laws for specific sectors (such as health and financial information, and children’s online data), but general consumer-data privacy is governed mainly at the state level, which is why the US system is described as a patchwork.

Which US states have data privacy laws?

California was first, with the CCPA (later expanded by the CPRA). Other states — including Virginia, Colorado, Connecticut and Utah, among a growing list — have enacted their own comprehensive consumer privacy laws, and additional state laws are taking effect through 2026. Because the list keeps changing, check your own state’s current law for the exact rights and timing.

What rights do US state privacy laws give me?

Most comprehensive state laws share a core set of rights: to know/access what data a company holds, to delete it, often to correct it, to opt out of the sale or sharing of your data (and certain targeted ads), and to non-discrimination for exercising these rights. The precise definitions, thresholds and exceptions vary by state.

How can I protect my data if my state has no privacy law?

You don’t need a law to protect yourself. Minimise the data you share, use a private browser and block trackers, encrypt your files and messages, secure your DNS and mask your IP, and opt out of data-broker listings where you can. These steps work regardless of your state and don’t depend on legislation catching up.