The United States does not have a unique federal data privacy law. Instead, each state has its own data privacy law. Each state-level data privacy law has its own effective date and some differences for compliance, including thresholds for operational data processing or revenue.

Recent years have seen the activation of several new state privacy laws. In 2024, seven states enacted comprehensive consumer privacy laws. Additionally, four new state privacy laws have taken effect.

This trend is expected to persist in 2025 and continue into 2026.

In 2025, eight new U.S. state-level comprehensive privacy laws took effect.

This blog article provides an overview of these laws and delves deeper into the key aspects and compliance requirements of the eight state privacy laws.

Why U.S. State Privacy Laws Matter for Small Businesses in 2025–2026

For years, data privacy regulations were mostly a concern for large companies. That’s no longer the case. As new U.S. state privacy laws take effect in 2025 and 2026, small businesses must also take compliance seriously.

In 2025, enforcement trends show regulators are focusing more broadly, including small businesses that operate smaller digital platforms and apps. Regulators are increasingly issuing fines to businesses of all sizes, and this trend is expected to continue and even increase in 2026.

Violations involving children’s data, health data, or deceptive practices tend to attract tougher scrutiny and higher penalties.

Noncompliance with US state-level data privacy laws could lead to both legal and reputational risks.

First, even if fines for data privacy law violations are assessed per user or per record, the total sum of fines for such violations could become substantial. Even if your business has only a modest user base, the total sum of fines can increase rapidly, especially under state privacy laws with per-violation penalties.

Second, don’t neglect reputational damage. Nowadays, consumers are worried about their privacy and are more likely to choose companies that ensure transparency and respect privacy rights.

In 2025, the California Privacy Protection Agency (CPPA) fined the clothing retailer Todd Snyder nearly $350,000 for the temporal inability of its users to implement opt-out choices and for over-collection of information. Due to technical errors that lasted for 40 days, it was impossible for Todd Snyder website users to request to opt out of having their information sold or shared. While Todd Snyder is not a micro-business, the case demonstrates that mid-sized retailers are subject to state privacy enforcement.

In another recent case, the Connecticut Attorney General’s office issued an $85,000 fine for TicketNetwork, a small business, for failing to comply with the Connecticut Data Privacy Act.

Key U.S. State Privacy Laws Coming into Effect in 2025 and 2026

In total, there are eight U.S. states with the effective date of comprehensive privacy laws in 2025, and more are on the way in 2026.

Additionally, some privacy laws that were passed earlier, will have ongoing updates through 2025 and 2026.

Here are all the new state-level privacy laws that came into force in 2025 and their key features:

In 2026, these new state-level data privacy laws or amendments to the laws will come into force:

California Privacy Rights Act (CPRA) updates for 2025

California continues to lead the way in data protection. In 2025, CPRA has the following updates:

• Third-party data sharing: Stricter requirements for vendor contracts and consent management.
• Employee and B2B data: Temporary exemptions are ending, so all personal data must now be covered.
• Automated decision-making transparency: Businesses may be required to disclose the logic behind algorithms used in profiling or personalization.

Note that even small businesses serving California residents must ensure compliance.

How State Privacy Laws Differ: A Quick Overview by Region

Although many state laws share core principles, regional differences can complicate compliance. There are the following differences among state privacy laws:

• West Coast
  California’s CPRA and Oregon’s OCPA emphasize consumer opt-outs and detailed notice requirements.
• South and Midwest
  Texas and Iowa have more business-friendly provisions, but still require clear privacy notices and data protection assessments.
• East Coast
  Delaware and New Jersey laws align more closely with the EU’s GDPR, demanding higher transparency and consent standards.

For businesses operating across many states, adopting a unified privacy framework that fits all states is often the most efficient approach.

Practical Steps to Stay Compliant With U.S. Data Privacy Regulations

Effective compliance addresses multiple laws and adapts to new rules. Use these recommendations to stay compliant with U.S. data privacy regulations:

1. Implement a multi-state compliance approach
   To reduce complexity, businesses should adopt privacy programs meeting the strictest state requirements.
2. Update your Privacy Policy
   Ensure it’s clear, accessible, and matches your actual data practices.
3. Audit your data
   Perform data mapping and inventory to identify what personal data you collect, where it’s stored, whether it is secure, and who has access.
4. Conduct DPIA
   Conduct data protection impact assessments for high-risk processing activities, such as the collection and storage of sensitive personal data or data usage for targeted advertising or profiling.
5. Review vendor contracts
   Make sure third-party processors also comply with privacy standards. Review vendor due diligence and contracts.
6. Build consumer request systems and prepare for data requests 
   Consumers should be able to request about their data management practices easily. Develop easy -to-reach consumer request systems such as online forms. Set up an internal procedures for handling consumer access or deletion requests efficiently.
7. Accept opt-out signals
   Respect universal opt-out signals such as Global Privacy Control.
8. Data Protection Officer
   If needed, assign a Data Protection Officer.
9. Employee training
   Train employees how to handle data safely, how and when to disclose data.
10. Implement a consent management platform (CMP)
    A CMP is used to deliver a cookie notice and inform consumers about the data collection practices, obtain and record user consent in compliance with state laws. Select a CMP that fits best your company’s needs.

CookieScript CMP could be your best choice. In 2025, CookieScript received the fourth consecutive badge in a row as the leader on G2, a peer review site, and became the best CMP on the market for a whole year!   

When to Appoint a Data Protection Officer

Most small businesses aren’t legally required to appoint a Data Protection Officer (DPO). However, it’s recommended to appoint a DPO if you:

• Process large volumes of sensitive or personal data.
• Operate across multiple states with differing privacy laws.
• Handle user data for profiling or automated decision-making.

You could choose an internal or external DPO. A DPO helps oversee compliance strategy, conduct audits, and act as a liaison with regulators.

Future Trends: What’s Next for State-Level Privacy in the U.S.

The U.S. privacy landscape is moving toward greater standardization. In 2026 and beyond, expect:

1. Continued State-Level Expansion
   More states are expected to adopt privacy laws in 2025 and 2026, covering areas such as AI, automated decision-making, biometric data, and children’s online safety. These new state laws will regulate what data could be collected and how businesses process consumer data. Ultimately, all states should enact data privacy laws to protect consumer data privacy and security.
2. Stricter privacy laws
   More states are adopting GDPR-style laws with stricter requirements, uniform rights and definitions.
3. Federal data privacy law
   There have been multiple attempts to pass a federal data privacy law in the United States. The American Data Privacy and Protection Act (ADPPA) was proposed in 2022, but was never enacted. The American Privacy Rights Act (APRA) was introduced in April 2024, but is still under discussion in 2025. In 2025 and 2026, federal legislation discussions re-emerge, aiming to unify privacy protections nationwide.
4. Stronger enforcement
   State attorneys general and new privacy agencies are expected to implement stronger enforcement of data privacy laws.
5. Greater focus on AI
   Greater focus on AI and automated decision-making transparency, especially in consumer-facing sectors.

For small businesses, privacy compliance is no longer optional— it’s a business necessity. Failing to comply with any state privacy law could lead to huge penalties or even suspension of the business’ activities.

Tools and Frameworks to Simplify Privacy Compliance

Compliance doesn’t have to be manual or expensive. Several tools can streamline privacy management, so that even small businesses could comply with state privacy laws without spending much.

Use the following tools to simplify privacy compliance:

• Consent Management Platforms (CMPs)
  CMPs like CookieScript help automate Cookie Consent banners and obtain and record user consent.
• Cookie Scanners
  With CookieScript Cookie Scanner, you can automatically scan your website for cookies, local storage, session storage, and other trackers and add them to your site’s list of cookies.
• Privacy Policy generators
  Privacy Policy generators help your business or website to create a compliant Privacy Policy that is aligned with the requirements of different states.
• Data mapping tools
  Data mapping tools help your business or website to visualize how data moves across your systems.

CookieScript CMP encompasses all the necessary features for compliance in one place.

• Cookie banner customization
  
• Privacy Policy Generator
• Cookie Scanner
• Consent recordings
• Third-party cookie blocking,
• Integrations with CMS platforms like WordPress, Shopify, Drupal, Joomla, etc.
• Google Consent Mode v2 integration
• IAB TCF v2.2 integration
• Certification by Google
• CookieScript API

Additionally, CookieScript offers one of the best pricing plans on the market, starting with just €8 /month/domain for the entry-level (Lite Plan). The Plus pricing plan includes all features and costs €19 /month/domain. It is best suited for small and medium-sized companies.

CookieScript is valued by users for its pricing model. Plans are transparent and scale based on traffic or the number of domains, making it tailored for businesses at different growth stages.

Compare CookieScript CMP vs Enterprise CMPs.

Final Thoughts

By staying ahead of state privacy laws, small businesses can ensure compliance, build trust, avoid costly penalties, and align with the growing expectations of privacy-aware consumers. The easiest way to comply with current and emerging state-level data privacy laws could be to adopt a trusted Consent Management Platform (CMP) like CookieScript. In under an hour and with a limited budget, most businesses can transition from "no compliance" to "fully covered."

Frequently Asked Questions

How many U.S. states have their own data privacy laws as of 2025?

By 2025, at least 19 states have enacted comprehensive privacy laws. Eight new ones are taking effect in 2025, including Delaware, Iowa, Nebraska, New Hampshire, New Jersey, Tennessee, Minnesota, and Maryland. Three more — Kentucky, Indiana, and Rhode Island — are set to take effect in 2026. Use CookieScript CMP to comply with ste-level data privacy laws.

Do small businesses have to comply with state privacy laws?

It depends on the scope thresholds in each law. Some laws apply only to businesses processing large volumes of personal data (e.g., over 100,000 consumers annually) or having a large turnover, while others include smaller companies that collect data or sell targeted ads. However, more privacy laws are getting stricter with stronger enforcement and many customers now expect transparent data handling. So, even for small businesses, it’s smart to adopt privacy best practices.

What happens if a small business doesn’t comply with privacy laws?

Non-compliance can lead to state attorney general investigations, civil penalties, or lawsuits. For example, fines under the California CPRA can reach $2,500 per unintentional violation and $7,500 per intentional violation. Other states have similar penalty structures, often “per consumer record,” which can add up quickly even for small businesses. CookieScript CMP can determine customers' location based on geo-targeting and could help you to comply with different state privacy laws.

Which U.S. state privacy laws come into effect in 2026?

Three confirmed state laws will take effect in 2026: Kentucky Consumer Data Protection Act (KCDPA, January 1, 2026), Indiana Consumer Data Protection Act (ICDPA, January 1, 2026), and Rhode Island Data Transparency and Privacy Protection Act (January 1, 2026). CookieScript CMP can determine customers' location based on geo-targeting and could help you to comply with different state privacy laws.

What are practical steps for small businesses to stay compliant with U.S. data privacy regulations?

Use these recommendations to stay compliant with U.S. data privacy regulations: implement a multi-state compliance approach, update your Privacy Policy, audit your data, conduct a DPIA, review vendor contracts, build consumer request systems, and implement a Consent Management Platform (CMP) like CookieScript.

When to Appoint a Data Protection Officer

Most small businesses aren’t legally required to appoint a Data Protection Officer (DPO). However, it’s recommended to appoint a DPO if you: a) process large volumes of sensitive or personal data; b) operate across multiple states with differing privacy laws; or c) handle user data for profiling or automated decision-making.