If you don't live in California, it's easy to assume you have no real privacy rights over your own data. That assumption is increasingly out of date: as of 2026, roughly 20 US states have their own comprehensive consumer privacy law, each granting rights beyond CCPA — many people simply don't know their state is one of them.
The states, and why this grew so fast
Starting from just California (2020) and Virginia (2021), state privacy law has expanded rapidly: Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Indiana, Tennessee, Delaware, New Jersey, New Hampshire, Nebraska, Kentucky, Maryland, Minnesota, and Rhode Island have all since joined, with Indiana, Kentucky, and Rhode Island the newest as of January 2026. If your state isn't on this list yet, it's worth checking again periodically — several more have legislation actively moving through their legislatures.
The core rights these laws generally give you
- The right to know what personal data a company holds about you
- The right to request deletion
- The right to correct inaccurate data
- The right to opt out of your data being sold or used for targeted advertising
- The right to opt out of certain automated profiling
Companies generally have 45 days to respond to a request under most of these state laws — broadly similar to CCPA's own timeline, though always worth confirming for your specific state.
The feature most people have never heard of: Universal Opt-Out
A growing number of these states — including Colorado (the first to require it), Connecticut, Texas, Oregon, Montana, Delaware, and New Jersey — require businesses to honor a browser-level signal called Global Privacy Control (GPC). Enable it once in a supporting browser or extension, and it automatically tells every website you visit that you're opting out of having your data sold or used for targeted ads — no need to hunt down an opt-out link on each individual site.
An important limit worth being clear about: almost no private right of action
Unlike GDPR-style enforcement, only California allows individuals to sue directly under its privacy law — and even then, only for data breaches involving specific categories of information, not general violations. Every other state's privacy law is enforced solely by that state's Attorney General, meaning an individual generally can't bring their own lawsuit for a violation — you file a complaint and the state decides whether to act.
Also worth knowing: many states initially gave businesses a "cure period" — a window to fix a violation before facing a fine once notified. That leniency is actively disappearing. Colorado and Connecticut have already eliminated their cure periods, and more states are following the same pattern — enforcement is getting stricter, not softer, over time.
How to actually use your state's right
- Check whether your state has a comprehensive privacy law and what rights it specifically grants — details do vary.
- Submit a data access, correction, or deletion request directly to the company (most large companies now have a dedicated privacy request form given how many states require one).
- If you're on a supporting browser, enable Global Privacy Control to apply a blanket opt-out automatically going forward.
- If a company ignores your request past the 45-day window, file a complaint with your state Attorney General's consumer protection office.
See also: data rights aren't the only patchwork that now depends on your state — whether your non-compete is even enforceable also comes down entirely to where you work.