The 2026 US State Privacy Laws: Every Data Removal Right by State

# The 2026 US State Privacy Laws: Every Data Removal Right by State

There is no US federal privacy law. What you have instead is a patchwork of state laws, each with its own definitions, rights, and enforcement mechanisms. If you live in California, you can demand deletion. If you live in Alabama, you have almost no state-level privacy rights at all. If you live in California and the data broker is based in Texas, California law still usually applies to you.

This post walks through the active and imminent state laws as of 2026, what each grants, and how to actually invoke your rights. Sources are linked throughout; this is a reference to cite.

The 2026 landscape

As of 2026, at least 19 US states have passed comprehensive consumer privacy laws:

• California — CCPA (2020), amended by CPRA (2023)

• Virginia — VCDPA (2023)

• Colorado — CPA (2023)

• Connecticut — CTDPA (2023)

• Utah — UCPA (2023)

• Texas — TDPSA (2024)

• Oregon — OCPA (2024)

• Montana — MCDPA (2024)

• Delaware — DPDPA (2025)

• Iowa — ICDPA (2025)

• Tennessee — TIPA (2025)

• Indiana — INCDPA (2026)

• New Hampshire — NHPA (2025)

• New Jersey — NJDPA (2025)

• Maryland — MODPA (2025)

• Minnesota — MCDPA (2025)

• Rhode Island — DTPPA (2026)

• Kentucky — KCDPA (2026)

Several other states have narrower sectoral laws (Washington for health data, Nebraska for children, Florida for large platforms).

The five rights every comprehensive law grants

The specifics differ; the shape does not. Every comprehensive state law gives residents some version of these five rights:

• Right to know — ask a business what personal data it has collected about you, where it got the data, and who it shared it with.

• Right to delete — ask the business to delete your personal data. There are exceptions (legal obligations, fraud prevention, active customer relationship), but for data brokers the exceptions rarely apply.

• Right to correct — ask the business to correct inaccurate data about you.

• Right to opt out of sale and targeted advertising — the critical right for data broker cases. A broker's business model *is* the sale, so this right, when invoked, forces effective removal.

• Right to portability — get a copy of your data in a machine-readable format.

Response time: most laws require a response within 45 days, extendable by another 45 for complex requests.

CCPA / CPRA (California)

The strongest and best-tested US privacy law. The California Privacy Protection Agency is an active enforcement body with its own rulemaking authority.

• Enforced by the California AG and the CPPA.

• Applies to businesses processing the personal data of 100,000+ California residents, businesses over $25M in revenue, or businesses deriving 50%+ of revenue from selling California residents' data (almost every data broker).

• California also passed SB 362 (the Delete Act). The resulting Delete Request and Opt-Out Platform (DROP) goes operational on August 1, 2026 — a single request directs every registered California broker to delete. SB 361 (2025) further expanded broker disclosure requirements.

VCDPA (Virginia)

The second-mover after California. Narrower in some ways, broader in others. Enforced by the Virginia AG. No private right of action. Applies to businesses processing 100,000+ Virginia residents' data or 25,000+ plus 50% of revenue from sale.

CPA (Colorado)

Introduces the "universal opt-out mechanism" (UOOM): a browser-level signal that businesses must honor. Enforced by the Colorado AG. Recognizes Global Privacy Control (GPC) as a valid UOOM. Opt-in consent required for sensitive data.

Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA)

Similar rights to VCDPA, with differences at the margins.

• Connecticut gives the standard bundle plus opt-out of profiling. Official site.

• Utah is the narrowest of the comprehensive laws; it does not include a right to correct.

• Texas TDPSA is notably broad: it applies to any business that processes or sells personal data and does business in Texas, with no revenue threshold. See the Texas AG guidance.

The 2025 and 2026 wave

The laws that came into effect in 2025 and 2026 largely copy the VCDPA/CTDPA template with state-specific tweaks:

• Maryland has the strictest limits on sensitive data, including a full ban on selling data of minors.

• New Jersey has a broader definition of sensitive data, including precise geolocation within 1,750 feet.

• Tennessee includes an affirmative defense for businesses that conform to the NIST Privacy Framework — the only state to do so.

The canonical reference is the IAPP US State Privacy Legislation Tracker.

Laws specifically targeting data brokers

Distinct from comprehensive privacy laws, several states have statutes specifically for data brokers:

• Vermont — the first state to require data broker registration. Annual fee, public list.

• California SB 362 (Delete Act) — creates a single deletion request portal at the CPPA. The Delete Request and Opt-Out Platform (DROP) goes operational August 1, 2026; brokers must check the deletion list every 45 days.

• California SB 361 (2025) — expanded broker disclosure requirements. Brokers now must disclose sensitive-data collection (biometric, geolocation, reproductive-health, minors) and sharing with foreign actors, law enforcement, and GenAI developers.

• Texas HB 4373 — broker registration statute effective 2024.

• Oregon SB 619 — broker registration effective 2024.

• Vermont Act 171 of 2018 — broker registration + opt-out disclosure.

For most California consumers, DROP is the most efficient channel for comprehensive broker deletion from August 2026 onward: submit once, every registered broker must comply within 45 days.

How to invoke your rights

A deletion request under any state's law should include:

• Your full name and the state you reside in.

• The statute you are invoking (e.g., California Civil Code § 1798.105 for CCPA deletion).

• The specific data categories you want deleted, or "all personal information about me."

• A reasonable method to verify your identity (usually your email matching the one on file).

Template language that works across CCPA, VCDPA, CPA, CTDPA, and TDPSA:

*"Pursuant to [state statute], I am a resident of [state] and am exercising my right to deletion of all personal information you have collected about me. Please confirm receipt and completion of this request within the statutory timeframe. I do not consent to the sale or sharing of my personal information."*

Send from an email the business can match to your record. For data brokers specifically, the Offlist.me generator inserts the correct state statute for your state automatically and queues the email in your own outbox so it comes from the address on file.

What's coming in 2027

Bills actively moving through legislatures: Massachusetts, Washington (beyond its narrow health law), Pennsylvania, Michigan, and Wisconsin. The trend is toward converging on the VCDPA/CTDPA template with state-specific sensitive-data enhancements.

A federal bill (the American Privacy Rights Act) has been introduced and re-introduced without passing. Until it does, the state patchwork is what you have, and knowing which state's law applies to you matters.

References

• IAPP US State Privacy Legislation Tracker — canonical bill tracker

• California CPPA — regulator and Delete Act portal

• Vermont Data Broker Registry — public broker list

• California Delete Act (SB 362)

Invoke your state's deletion rights in one pass →