Question 1

How many US states have comprehensive privacy laws?

Accepted Answer

As of 2026, roughly 20 US states have enacted comprehensive consumer data privacy laws, with more passing each session. The first wave includes California (CCPA, amended by CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and Utah (UCPA). The second wave includes Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Iowa (ICDPA), Tennessee (TIPA), Delaware (DPDPA), New Jersey, New Hampshire, Kentucky, Maryland (MODPA), Minnesota, Rhode Island, Indiana, and Nebraska. Each law has its own scope thresholds, consumer rights, and enforcement model. The exact count changes frequently as new laws take effect, so check current trackers from organizations like IAPP or Husch Blackwell for the latest list.

Question 2

Does my small business have to comply with CCPA?

Accepted Answer

Under the California Consumer Privacy Act, as amended by the CPRA (Cal. Civ. Code 1798.140), a business is covered if it does business in California, determines the purposes and means of processing personal information, and meets one of three thresholds: annual gross revenue over $25 million; buys, sells, or shares the personal information of 100,000 or more California consumers or households per year; or derives 50 percent or more of annual revenue from selling or sharing personal information. Many small B2C businesses with a website used by California residents cross the 100,000-consumer threshold faster than they realize because the count includes IP addresses and cookie identifiers tied to devices.

Question 3

What is the consumer threshold for state privacy laws?

Accepted Answer

Most state privacy laws other than California use a consumer-count threshold rather than a revenue threshold. Virginia, Colorado, Connecticut, and most second-wave states apply if you process the personal data of 100,000 or more state residents per year, or 25,000 residents if you derive a certain percentage of revenue from selling personal data. Texas TDPSA is the outlier: it has no consumer threshold and applies to any business that is not a small business under SBA size standards. Tennessee TIPA uses a $25 million revenue floor plus consumer counts. Always check the specific law for the state you serve, since thresholds vary.

Question 4

What is a Data Processing Addendum?

Accepted Answer

A Data Processing Addendum (DPA) is a contract between a controller (the business that decides how personal data is used) and a processor (a vendor that handles personal data on the controller's behalf). State privacy laws like CPRA (Cal. Civ. Code 1798.140(ag)), VCDPA, CPA, and CTDPA require specific contractual terms before sharing personal information with a service provider or processor: defined processing purposes, confidentiality obligations, deletion or return of data at end of engagement, audit rights, sub-processor flow-down requirements, and assistance with consumer rights requests. Without a compliant DPA, the vendor may be treated as a third party, which can trigger sale or sharing disclosure obligations under CCPA.

Question 5

Which states have the most aggressive privacy enforcement?

Accepted Answer

California is by far the most active enforcer. The California Privacy Protection Agency (CPPA) and the California Attorney General both have enforcement authority and have issued settlements against companies like Sephora, DoorDash, and Tilting Point. Connecticut and Colorado have also been publicly active through their attorneys general, sending cure-period letters and publishing enforcement priorities. Texas has signaled aggressive enforcement of TDPSA. Most other state laws are enforced exclusively by the state attorney general and have a right-to-cure period that limits early enforcement activity. North Privacy Advisors helps small to mid-sized businesses navigate the patchwork through state law gap assessments.

Question 6

Do I need to comply if I only have a few customers in another state?

Accepted Answer

Usually no, because most state privacy laws have consumer-count or revenue thresholds that small out-of-state customer bases do not trigger. If you have only a handful of customers in Virginia, Colorado, or Connecticut, you almost certainly fall below the 100,000-resident threshold. California is the riskier case: the 100,000-consumer threshold counts unique identifiers like IP addresses and cookies, so a popular consumer-facing website can cross it without realizing. Texas TDPSA also has no consumer threshold, so any business doing business with Texas residents that does not qualify as a small business under SBA size standards is in scope. Map your data flows to actual statutory thresholds.

US State Data Privacy Laws for Small to Mid-Sized Businesses

What "state privacy law" actually means in 2026 for a small business

The thresholds vary, and that is where most SMBs get confused

What audit-ready state privacy compliance looks like

All articles in this topic

5 signs your small business already falls under state privacy laws

Delaware DPDPA: Small Business Privacy Law Compliance Guide

Colorado Now Has America's Costliest State Privacy Law

State Privacy Law Thresholds: When Does Your Business Need to Comply?

Texas Data Privacy Act: Business Compliance Guide 2025