Skip to main content
Back to Blog
guides

Which State Privacy Laws Apply to Your Business?

20 US states now have comprehensive privacy laws. Use this guide to find out which ones apply to your business — and what you need to do about it.

By Nikolas6 min read

If you sell products or services online, there's a good chance you're subject to at least one state privacy law — even if you're not physically based in that state.

As of 2026, 20 US states have enacted comprehensive consumer privacy laws, each with different thresholds for who must comply. The penalties range from $2,500 to $7,988 per violation, and most states have eliminated or shortened the "cure period" that used to let you fix mistakes before being fined.

The Problem: It's Not Just California Anymore

Most small business owners know about the CCPA (California Consumer Privacy Act). But did you know that Texas, Colorado, Connecticut, Virginia, and 15 other states now have their own privacy laws — each with its own definitions, thresholds, and enforcement bodies?

Each state has different rules for:

  • Revenue thresholds — some kick in at $25M revenue, others have no revenue minimum at all
  • Consumer data volume — processing personal data from 100K+ consumers triggers most state laws
  • Data sales — selling or sharing personal data triggers requirements at lower thresholds
  • Cure periods — some states give you 30 days to fix violations, others give you zero

The result: a business based in Idaho with customers in California, Texas, and Colorado may be subject to three different state privacy regimes simultaneously, each with different definitions of "sale," "sensitive data," and "consumer rights."

How to Find Out Which Laws Apply

The fastest way: take Purview's free compliance quiz. Answer 5 minutes of questions about your business, and get an instant report showing which state laws apply, your estimated fine exposure, and what to do first.

If you'd rather do the analysis yourself, here's the framework most privacy lawyers use:

Step 1 — Map your consumers by state

Pull your last 12 months of orders, signups, or leads and count the unique consumers per state. Any state with more than 100,000 consumers from your business is almost certainly a "covered" state under that state's law.

Step 2 — Identify which states have laws

As of 2026, the states with comprehensive privacy laws are:

StateLawEffectiveKey Threshold
CaliforniaCCPA/CPRAJan 2020 / Jan 2023$25M revenue OR 100K consumers
VirginiaVCDPAJan 2023100K consumers OR 25K + data sales
ColoradoCPAJul 2023100K consumers OR 25K + data sales
ConnecticutCTDPAJul 2023100K consumers OR 25K + data sales
UtahUCPADec 2023$25M revenue + 100K consumers
TexasTDPSAJul 2024No revenue minimum — most businesses
OregonOCPAJul 2024100K consumers OR 25K + data sales
MontanaMCDPAOct 202450K consumers OR 25K + data sales

And 12 more states with laws rolling out through 2026. The free quiz covers all of them.

Step 3 — Check the "sale" definition

Most state laws define "sale" broadly enough to include sharing data with ad platforms. If you run Meta Pixel, Google Ads remarketing, or TikTok Pixel, you're probably making "sales" of personal data under California, Colorado, and Connecticut's definitions — even if no money changes hands.

This is the most common way small businesses accidentally become covered.

What Happens If You Ignore This

State attorneys general are actively enforcing these laws. Recent examples:

"Todd Snyder Inc. agreed to pay $345,000 to resolve allegations that the company failed to honor consumer opt-out requests and maintained inadequate privacy disclosures." — California Attorney General enforcement action

"TicketNetwork settled with the Connecticut Attorney General for $85,000 over unauthorized data collection and missing consumer disclosures." — Connecticut AG press release

These aren't Fortune 500 companies. They're the kind of mid-sized businesses that assumed state privacy laws were "for Google and Facebook."

What to Do Next

Here's the short version of what every covered business needs:

  1. Take the free compliance quiz — find out which laws apply in under 5 minutes
  2. Review your privacy policy — make sure it covers all applicable states (the "strictest wins" rule usually applies)
  3. Install a consent/opt-out mechanism — a Global Privacy Control signal handler and a "Do Not Sell/Share" link at minimum
  4. Set up a DSAR process — consumers have the right to access, delete, and correct their data, and you must respond within 45 days

Purview automates all four steps. Plans start at $49/month. See pricing.

Frequently Asked Questions

Which state privacy laws apply to my small business?
It depends on where your consumers live and how much data you process. Most state laws kick in at 100,000 consumers from that state, but some (like Texas) have no revenue minimum at all. The fastest way to find out is to take Purview's free compliance quiz, which takes about 5 minutes.
Do I need to comply with CCPA if I'm not based in California?
Yes, if you have California consumers and meet any of the thresholds — $25M in annual revenue, personal data from 100,000+ California consumers, or 50%+ of revenue from selling California consumer data. Physical location in California is not required.
What's the penalty for non-compliance?
Penalties vary by state, but typically range from $2,500 per violation (non-intentional) to $7,988 per violation (intentional or involving minors) in California. Other states have similar structures. Most violations are counted per consumer affected, which can add up fast.
How much does Purview cost?
Purview plans start at $49/month for the Starter plan (covering up to 5 states), $99/month for the Growth plan (covering all applicable states), and $149/month for the Pro plan (with advanced reporting). Annual billing saves 20%. There's also a free tier that includes a website scan and basic exposure report.

This article is for informational purposes only and does not constitute legal advice. For guidance on specific compliance decisions, consult a qualified attorney.

Find out which laws apply to your business

Take Purview's free 5-minute compliance quiz. No credit card required.

Take the Free Quiz
Back to all posts