States' Privacy Laws Will Cover About Half of Americans in 2026

Having 100% of state-enacted comprehensive privacy laws in effect means nearly half of all Americans will be covered by a state privacy law, said Jordan Francis, Future of Privacy Forum senior privacy counsel. It’s more than half if one counts Florida’s privacy statute, which FPF and some other experts don’t, he said. “I'm curious to see ... what this will mean as we enter perhaps a new phase of laws.”

Wiley privacy attorney Joan Stewart believes that having comprehensive privacy laws in about 20 states "takes some of the pressure off the other states" to enact laws, she said in an interview. Indeed, no states passed comprehensive privacy bills in 2025. "So many companies" have decided to adopt a nationwide approach, Stewart said. "They're extending those rights, they're following these protocols, even if it's not legally required in a certain state."

But Consumer Reports Policy Analyst Matt Schwartz disagreed. “We still see companies geofencing, at least in their privacy policies,” to say that “certain standards apply for people in certain states and certain [other] standards apply for people that aren’t in those states,” he said. “Having a significant chunk of the population covered by privacy laws is good, [but] I don't think that automatically means that most companies will apply those standards nationally.”

Schwartz added, “I certainly don't think the incremental value of Kentucky, Indiana and Rhode Island joining the map is going to be the thing that pushes that over the edge.” From a consumer protection standpoint, the three new laws don’t add much, and in fact they are “in line with some of the weaker laws that we've seen passed in other states,” said the CR official: For example, none of the three require companies to honor universal opt-out signals.

Hayley Tsukayama, Electronic Frontier Foundation state affairs director, agreed the three new laws are “fairly standard" in that they take a "slightly more business-friendly, middle-of-the-road” approach.

Francis said that the “newest wave of laws coming into effect is largely aligned with what we've already seen in existing laws.” Stewart agreed it’s “a much lighter lift” with these three new laws, compared to previous rounds of state privacy measures.

Rhode Island

Still, Stewart flagged Rhode Island’s law for having “a few quirky little provisions in it that have required some follow-up phone calls with clients to try and work through how to deal with them.”

One “unique” aspect of Rhode Island’s law is a requirement that a company selling or transferring personally identifiable information (PII) identify the third parties where that information is going. However, the Wiley lawyer noted that PII isn’t defined in the state law, which otherwise refers to personal data. “We think the legislature intended that to be a [narrower] category of data, probably more similar to ... what we see in data breach laws,” she said.

Another quirk of Rhode Island’s law is that its applicability thresholds don’t apply to privacy notice obligations, Stewart said. The lawyer reads this as meaning that “if anything in the privacy notice covers anybody in Rhode Island, you can't rely on those thresholds to say it doesn't apply to you.” They could apply to “any size company,” she added.

Rhode Island has no right to cure, said Stewart, so it will be “interesting to watch” how aggressive state enforcers will be and if they “understand that there’s some ambiguity in this law.”

Likewise, Francis said, Rhode Island’s law mostly resembles other states’ privacy statutes, with a few "unique aspects.” One is that Rhode Island has a more prescriptive privacy notice requirement that includes some distinct terminology, the FPF official said. “First, it requires any commercial website or internet service provider who's subject to Rhode Island's jurisdiction to designate a controller,” he said. “And then, for a controller of a commercial website or ISP that collects stores and sells customers personally identifiable information, they then have to post the privacy notice that provides required details about the personal data that the website or online service collects about consumers.”

The Rhode Island law lacks several privacy rights and business obligations common to other state privacy laws, said Francis. “For example, there's no general data minimization requirement or consent requirement for secondary use of personal data,” he said. Not only that, he said, but Rhode Island’s law has a “broad pseudonymous data exception that applies to all of the consumer rights,” including -- unlike many state laws -- for opt-out requests. Also, unlike most newer privacy laws, “there are no opt-in consent requirements for teenagers.”

On the other hand, Rhode Island’s privacy statute carries slightly higher penalties than other state laws, said Francis. It has a base penalty of $10,000 per violation under the state's law on deceptive trade practices, plus an additional $100-$500 per disclosure, said Francis: Most states’ privacy laws have penalties of about $7,500 without additional fines.

Schwartz said the third-party disclosure requirement is the “one good thing” about Rhode Island’s law. Aside from that, its privacy policy requirements are “extremely weak,” said the CR official: For example, they apply only to ISPs and commercial websites and not to offline businesses. In addition, the state doesn’t require covered companies to link from the privacy policy to the opt-out form as in other states, nor does it force companies to explain how consumers can exercise their rights, he said.

Schwartz also criticized the law’s broad carveout for pseudonymous data, which “is defined in such a way as to arguably include mobile advertising IDs,” IP addresses or other device identifiers, said the consumer advocate: That’s “a huge loophole.”

Kentucky and Indiana

Meanwhile, the Indiana and Kentucky privacy laws have “good overlap with the bulk of” privacy laws in other states, Stewart said. “We aren't seeing any little quirks” requiring “specialized provisions,” so those should be “fairly easy” to implement for companies already comfortable complying in other states, she said.

Kentucky’s law is “heavily modeled on the original Virginia law,” with a narrow definition of sale and a focus on exchange of personal data when money is involved, Francis said. In addition, it includes broad entity-level and common data-level exemptions. One area where Kentucky goes beyond Virginia -- but is similar to some other states’ privacy laws -- is with a broader definition of biometric data to include content from a photograph, video or audio recording, he said.

Indiana’s privacy law similarly doesn’t “do much new,” said Francis. Hewing closely to the Virginia approach, it has narrow definitions for sale and for sensitive, health and biometric data. In addition, he noted that it provides a mandatory right to cure that doesn’t sunset.

Indiana’s attorney general recently released a privacy bill of rights to educate consumers about the new law (see [Ref:2512010038). Francis highlighted the document as being “very digestible for a lay person” and said it could raise consumer awareness more than the customary press release.

Schwartz criticized the Kentucky and Indiana laws for including a narrow definition of sale that covers only purchase transactions. That “arguably rules out … the Facebook model of ad targeting, where Facebook would argue they're not selling your data” but rather “access to it.” In addition, both laws have cure periods that don’t expire, he said.

Kentucky’s law has the same problematic carveout for pseudonymous data as Rhode Island, while Indiana has “terrible anti-discrimination language” that allows businesses to discriminate against customers who exercise their opt-out rights, added the CR official. “In Indiana, a business could theoretically raise a price or deny service if someone opts out, which just completely undercuts the opt-out right and makes it useless.”