Nineteen States and Counting Have Enacted Comprehensive Consumer Privacy Statutes. Most Americans Have No Idea What Rights They Just Got.
Mason & Perry LLP | June 29, 2026
Five years ago, exactly one state in the country had a comprehensive consumer privacy law on the books. Today, more than half of all Americans live in a state that gives them a clear statutory right to see what a company has collected about them, ask for it to be deleted, and tell that company to stop selling their data to third parties. Most people do not know it. Companies, in many cases, are counting on that.
This is a quick guide to what the new state privacy laws actually do, who is covered, and how to use the rights they give you — because the laws only matter if you exercise them.
A Map of the New Privacy Landscape
The Golden State went first. The California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., took effect on January 1, 2020 and was significantly expanded by the California Privacy Rights Act amendments in 2023. Since then, the dam has broken. Virginia, Colorado, Connecticut, and Utah followed in 2023; Texas, Oregon, Florida, and Montana came online in 2024; and a much larger wave — including Delaware, Iowa, New Hampshire, Nebraska, New Jersey, Tennessee, Minnesota, and Maryland — became effective across 2025. Kentucky, Indiana, and Rhode Island joined the list at the start of 2026.
The statutes differ in important ways — coverage thresholds, definitions of “sale,” availability of a private right of action — but the core consumer rights they guarantee have converged on a recognizable common core. If your state has enacted one of these laws, you almost certainly have most or all of the rights described below.
The Six Rights You Probably Now Have
The right to know. You can ask a covered business what categories of personal information it has collected about you, the sources it got that information from, the business purposes for which it is being used, and the categories of third parties it has been disclosed to. In most states you can also request a copy of the actual data, not just a description of categories.
The right to delete. You can ask the business to delete personal information it has collected from you. Exceptions exist — businesses may keep data needed to complete a transaction, comply with the law, exercise free speech, or perform certain internal analytics — but the default has flipped. The burden is on the company to justify keeping your data, not on you to justify asking for it back.
The right to correct. Most of the newer state statutes require businesses to honor a verified request to correct inaccurate personal data. This is especially valuable for data that drives consequential decisions — credit, insurance, employment screening — where an inaccurate record can quietly cost you money for years.
The right to opt out of sale. Every covered law gives consumers the right to direct a business to stop “selling” their personal information. The definitions of “sale” vary, but the broader state laws (California, Colorado, Connecticut) include not just cash transactions but also disclosures for “valuable consideration” — language broad enough to cover much of the ad-tech ecosystem.
The right to opt out of targeted advertising. A close cousin of the right to opt out of sale, this right specifically covers cross-context behavioral advertising — the kind that follows you around the web. Several states (California, Colorado, Connecticut, and others) require businesses to honor a browser-level “Universal Opt-Out Mechanism,” such as the Global Privacy Control signal, so that a single setting in your browser tells every covered site that you are opting out.
The right to opt out of certain profiling. Newer laws — including the Colorado Privacy Act, the Connecticut Data Privacy Act, and the Maryland Online Data Privacy Act — give consumers the right to opt out of “profiling in furtherance of decisions that produce legal or similarly significant effects,” meaning algorithmic decisions about credit, housing, insurance, employment, education, or access to essential goods and services.
A Few States Have Gone Further
Not every state law is alike, and a handful stand out for breaking new ground.
Maryland’s Online Data Privacy Act, which took effect in October 2025, contains the strictest data-minimization rule in the country to date: collection of personal data must be “reasonably necessary and proportionate” to provide the product or service the consumer requested. Sale of sensitive personal data is prohibited outright — not subject to consent, not subject to opt-out, simply prohibited.
Minnesota’s Consumer Data Privacy Act, effective July 31, 2025, includes an unusual right to “question the result” of an automated decision and to be told what data was used to reach it — a small but meaningful step toward algorithmic accountability.
New Jersey’s privacy statute, N.J. Stat. Ann. § 56:8-166.1, includes a 30-day right-to-cure period for businesses that runs only until July 1, 2026, after which any violation becomes immediately actionable. State enforcers have already issued cure notices to multiple data brokers in the law’s first year.
Texas, despite its reputation for light-touch regulation, gave its Attorney General one of the most active enforcement budgets in the country to police the Texas Data Privacy and Security Act. The state has already filed major enforcement actions in the first eighteen months of the law’s life.
How to Actually Exercise Your Rights
Find the privacy page — and the “Do Not Sell or Share My Personal Information” link. Federal regulations and state laws require covered businesses to post these prominently. They are typically in the footer of the homepage and the privacy policy. If a business has California, Colorado, Connecticut, or comparable customers, you should see clearly labeled mechanisms for opt-out, deletion, and access.
Turn on the Global Privacy Control in your browser. GPC is a free, browser-level setting that automatically transmits an opt-out signal to every website you visit. California, Colorado, Connecticut, and several other states require covered businesses to honor it. It is the single most efficient privacy tool a consumer can deploy. Brave, Firefox, and DuckDuckGo turn it on by default; Chrome and Safari users can install a free extension.
Send a written deletion or access request. Most covered businesses must respond within 45 days (45 calendar days in California; comparable windows in most other states). If you do not get a substantive response in that window, save the timestamps. Documented noncompliance is exactly what state enforcers — and class action plaintiffs, where private rights of action exist — are looking for.
Check whether your state allows a private lawsuit. This is where the laws diverge sharply. California permits private suits, but only for certain data-breach scenarios. Most other state comprehensive privacy laws are enforced exclusively by the state Attorney General or a designated agency. That does not mean violations are toothless — Attorney General actions in California and Texas have already produced multi-million-dollar settlements — but it does mean that whether you can sue depends on which state you live in.
Keep your records. If you file a deletion request, screenshot the confirmation. If the business misses the deadline, save the email thread. If you later discover the company kept selling your data after telling you it stopped, that record is what builds a case.
Why the State-by-State Patchwork Matters
There is no federal comprehensive privacy law. Several have been proposed in recent years, but none has cleared Congress. Until and unless one does, the rules that govern how companies collect, share, and sell your personal information will depend largely on which state you happen to live in — and on how aggressively that state chooses to enforce its statute.
For consumers, that creates both a frustration and an opportunity. The frustration is that two people living in adjoining states can have meaningfully different privacy rights against the same company. The opportunity is that the state laws, taken together, have already created the most robust consumer privacy regime the United States has ever had — and most people have not yet noticed.
Mason & Perry LLP represents individuals and groups in consumer privacy class action litigation and advises clients on the exercise of state privacy rights. If you believe a company has failed to honor a deletion request, opt-out request, or access request — or has misused your personal information — contact us to discuss your options.