US State Privacy Laws for Small Business Websites: A 2026 Compliance Map

Running a small business website used to mean worrying about a handful of federal regulations and maybe one or two state-specific rules. Those days are over. As of 2026, over 20 US states have enacted comprehensive consumer privacy laws, and several more have legislation in progress. If your website collects any personal information from visitors (and virtually every website does, through analytics, contact forms, email signups, or cookies), you are almost certainly subject to at least one of these laws. The challenge for small business owners is that each state's law is slightly different, creating a compliance patchwork that can feel impossible to navigate. This guide maps out the current landscape, identifies the requirements that affect small businesses most, and provides a practical compliance strategy that covers your obligations without requiring a team of lawyers.

Why State Privacy Laws Matter for Small Businesses

The United States does not have a single, comprehensive federal privacy law comparable to Europe's GDPR. Instead, privacy regulation has emerged primarily at the state level, with each state crafting its own legislation. This creates a situation where a small business operating a website accessible from any US state may need to comply with multiple different privacy laws simultaneously.

Jurisdictional reach. Most state privacy laws apply based on where the consumer resides, not where the business is located. If a California resident visits your website and submits their email address, California's privacy law (CCPA/CPRA) may apply to your handling of that data, regardless of whether your business is in California or Kansas.

Website data collection is pervasive. Even if you think your website does not collect personal data, it almost certainly does. Google Analytics tracks visitor behavior. Contact forms collect names and emails. Cookie consent tools create records. E-commerce functionality processes payment information. Newsletter signups store email addresses. Social media pixels track browsing activity. All of this constitutes "personal information" or "personal data" under most state privacy laws.

Enforcement is real. State attorneys general are actively enforcing these laws, and some states have created dedicated privacy enforcement divisions. While enforcement has primarily targeted larger companies so far, small businesses are not exempt, and enforcement scope is expanding.

Consumer expectations are changing. Your customers increasingly expect transparency about how their data is used. Having a clear, comprehensive privacy policy and honoring data rights requests is becoming a baseline expectation, not a differentiator.

For a broader look at how data privacy fits into your compliance obligations, our guide to data privacy and compliance for small businesses covers the fundamentals every business owner should understand.

The Current State Privacy Law Landscape

As of early 2026, the following states have enacted comprehensive consumer privacy laws that are either currently in effect or scheduled to take effect. This landscape evolves rapidly, so verify current status for any state that affects your business.

Laws Currently in Effect

California (CCPA/CPRA). In effect since January 2020 (CCPA) and January 2023 (CPRA amendments). The most comprehensive state privacy law and the model for many subsequent state laws. Applies to businesses that meet any of three thresholds: annual gross revenue over $25 million, buy/sell/share personal information of 100,000 or more consumers, or derive 50 percent or more of annual revenue from selling or sharing personal information. The California Privacy Protection Agency (CPPA) actively enforces the law.

Virginia (VCDPA). In effect since January 2023. Applies to businesses that control or process personal data of at least 100,000 Virginia consumers, or control or process personal data of at least 25,000 Virginia consumers and derive over 50 percent of gross revenue from the sale of personal data.

Colorado (CPA). In effect since July 2023. Applies to businesses that control or process personal data of 100,000 or more Colorado consumers, or control or process personal data of 25,000 or more consumers and derive revenue or receive a discount from the sale of personal data.

Connecticut (CTDPA). In effect since July 2023. Applies to businesses that control or process personal data of 100,000 or more Connecticut consumers (excluding data processed solely for payment transactions), or control or process personal data of 25,000 or more consumers and derive more than 25 percent of gross revenue from the sale of personal data.

Utah (UCPA). In effect since December 2023. Applies to businesses with annual revenue of $25 million or more that control or process personal data of 100,000 or more Utah consumers, or derive more than 50 percent of gross revenue from selling personal data and control or process personal data of 25,000 or more consumers.

Iowa (ICDPA). In effect since January 2025. Applies to businesses that control or process personal data of 100,000 or more Iowa consumers, or control or process personal data of 25,000 or more consumers while deriving more than 50 percent of gross revenue from the sale of personal data.

Indiana (ICDPA). In effect since January 2026. Similar threshold structure to other states.

Tennessee (TIPA). In effect since July 2025. Includes both consumer thresholds and a revenue threshold of $25 million.

Montana (MCDPA). In effect since October 2024. Notable for having no revenue threshold and a lower consumer threshold (50,000 consumers), making it more likely to affect smaller businesses.

Texas (TDPSA). In effect since July 2024. Applies to businesses that operate in Texas or produce products or services consumed by Texas residents, conduct business in Texas, and process or engage in the sale of personal data. No minimum revenue or consumer count threshold, making it one of the broadest laws.

Oregon (OCPA). In effect since July 2024. Applies to businesses that control or process personal data of 100,000 or more Oregon consumers, or control or process personal data of 25,000 or more Oregon consumers while deriving 25 percent or more of annual gross revenue from selling personal data. Notable for including non-profit organizations.

Delaware (DPDPA). In effect since January 2025. Applies to businesses that control or process personal data of 35,000 or more Delaware consumers (excluding data processed solely for payment transactions), or control or process personal data of 10,000 or more consumers and derive more than 20 percent of gross revenue from selling personal data.

Laws Taking Effect in 2026

Maryland (MODPA). Taking effect October 2026. Notable for more restrictive approach to data minimization, requiring that data collection be "reasonably necessary and proportionate" to specified purposes.

Minnesota (MCDPA). Taking effect July 2026. Includes a private right of action provision that allows consumers to sue businesses directly for violations.

Nebraska (NDPA). In effect since January 2025. Applies broadly to businesses that process personal data of Nebraska residents.

New Hampshire (SB 255). In effect since January 2025. Follows a similar framework to Connecticut's law.

New Jersey (SB 332). In effect since January 2025. Applies to businesses that control or process personal data of 100,000 or more New Jersey consumers, or control or process data of 25,000 or more consumers and derive revenue from selling personal data.

States with Legislation in Progress

Several additional states have active privacy legislation that may be enacted in 2026 or 2027. Pennsylvania, Massachusetts, New York, and North Carolina are among the states where significant privacy bills have been introduced. The trend is clearly toward more states adopting comprehensive privacy laws, not fewer.

Common Requirements Across State Laws

Despite their differences, most state privacy laws share a core set of requirements. Focusing on these common elements gives you the broadest compliance coverage for the least effort.

Privacy Policy Requirements

Every state law requires businesses to maintain a clear, accessible privacy policy that describes their data practices. At minimum, your privacy policy should include the following.

Categories of personal data collected. List the types of information you collect (names, emails, IP addresses, browsing data, purchase history, etc.).

Purposes for data collection. Explain why you collect each category of data (providing services, marketing, analytics, improving the website, etc.).

Categories of third parties who receive data. Identify the types of organizations you share data with (analytics providers, email marketing platforms, payment processors, advertising networks, etc.).

Consumer rights. Describe the rights consumers have under applicable laws and how they can exercise those rights.

Data retention periods. State how long you keep different categories of personal data.

Contact information. Provide clear contact details for privacy inquiries and data rights requests.

A well-crafted privacy policy is the foundation of compliance under every state law. If you do not have one, or if yours has not been updated recently, this should be your first priority.

Consumer Rights

Most state laws grant consumers a similar set of rights regarding their personal data. While the specific implementation varies, the core rights include the following.

Right to know. Consumers can request information about what personal data a business has collected about them.

Right to access. Consumers can request a copy of their personal data in a portable, readily usable format.

Right to delete. Consumers can request that a business delete the personal data it has collected about them. Most laws include exceptions for data needed to complete transactions, fulfill legal obligations, or maintain security.

Right to correct. Many (but not all) state laws give consumers the right to correct inaccurate personal data.

Right to opt out of sale. If a business "sells" personal data (and the definition of "sale" varies by state), consumers can opt out. Some states also include the right to opt out of targeted advertising and profiling.

Right to non-discrimination. Businesses cannot discriminate against consumers for exercising their privacy rights, such as by charging higher prices or providing inferior service.

Data Processing Obligations

Beyond individual rights, businesses have ongoing obligations regarding how they handle personal data.

Data minimization. Collect only the personal data that is reasonably necessary for the stated purposes. Do not collect data "just in case" you might need it later.

Purpose limitation. Use personal data only for the purposes disclosed in your privacy policy. If you want to use data for a new purpose, update your privacy policy and (in some states) provide consumers with notice or choice.

Data security. Implement reasonable security measures to protect personal data from unauthorized access, disclosure, or destruction. The definition of "reasonable" varies, but basic security measures like HTTPS encryption, secure password storage, and access controls are universally expected.

Data protection assessments. Several states require businesses to conduct data protection assessments for certain high-risk processing activities, such as processing sensitive data, selling personal data, or engaging in targeted advertising.

Small Business Exemptions and Thresholds

One of the most important questions for small business owners is whether their business actually falls within the scope of these laws. The answer depends on the specific law and your business's data practices.

Revenue Thresholds

California ($25 million annual gross revenue), Utah ($25 million), and Tennessee ($25 million) include revenue thresholds that may exempt smaller businesses. However, these thresholds are only one of the law's applicability criteria. You may still be covered based on the volume of data you process.

Consumer Count Thresholds

Most state laws include thresholds based on the number of consumers whose data you process. These range from 10,000 (Delaware, for businesses with significant data sale revenue) to 100,000 (most states). Importantly, "processing" includes collecting data through website analytics, so a business with high web traffic may meet these thresholds even if it does not have many customers.

Do analytics visitors count? This is a critical question. In most states, the answer is yes. If your website uses Google Analytics and receives 100,000 unique visitors from a particular state in a year, you may meet that state's threshold. The definition varies by state, and some states specifically exclude data processed solely for payment transactions, but website analytics data is generally included.

Broad-Scope Laws

Texas and Montana are notable for having minimal or no thresholds, meaning even very small businesses may be covered. If your website is accessible to residents of these states and you collect any personal data, you should assume these laws apply to your business.

Practical Guidance

Given the complexity of determining exactly which laws apply to your business, most privacy professionals recommend a pragmatic approach: build your compliance program to meet the most stringent common requirements (generally California's CCPA/CPRA), and you will be substantially compliant with most state laws. The additional effort required to comply with California's requirements, versus complying with a less stringent state law, is minimal.

A Practical Multi-State Compliance Strategy

Rather than trying to comply with each state law individually (which would be impractical for any business, let alone a small one), follow this unified approach that covers the common requirements of all current state privacy laws.

Step 1: Conduct a Data Inventory

Before you can comply with privacy laws, you need to understand what data you collect, how you use it, and who you share it with. Create a simple spreadsheet that documents the following for every data collection point on your website.

What data is collected. Name, email, IP address, cookies, browsing behavior, purchase history, etc.

Why it is collected. Service delivery, marketing, analytics, security, legal compliance, etc.

Where it is stored. Your website database, email marketing platform, CRM, analytics tool, etc.

Who has access to it. Your team members, third-party service providers, advertising platforms, etc.

How long it is retained. Active account duration, 12 months, indefinitely, etc.

This inventory is the foundation of your compliance program. It informs your privacy policy, helps you respond to consumer requests, and identifies areas where you may need to reduce data collection.

Step 2: Update Your Privacy Policy

Using the information from your data inventory, create or update your privacy policy to meet the most comprehensive requirements across all state laws. Your policy should be written in clear, plain language (not legalese) and should include all the elements described in the common requirements section above.

Make it accessible. Link to your privacy policy from your website footer on every page. It should be no more than one click away from any page on your site.

Keep it current. Review and update your privacy policy whenever you add new data collection tools, change third-party providers, or modify your data practices. At minimum, review it annually.

Step 3: Implement Consumer Rights Mechanisms

Create a process for receiving and responding to consumer data rights requests. At minimum, you need the following.

A designated contact method. Provide an email address, web form, or both where consumers can submit privacy requests. Many small businesses use a simple privacy@yourbusiness.com email address.

Identity verification. Before fulfilling a request, verify the consumer's identity to prevent unauthorized access to personal data. A simple verification process (confirming the email address associated with the request, asking for additional identifying information) is sufficient for most small businesses.

Response timeline. Most state laws require a response within 45 days, with the option to extend by an additional 45 days if necessary. Set calendar reminders to ensure you meet these deadlines.

Fulfillment process. Document your step-by-step process for fulfilling each type of request (access, delete, correct, opt-out). This might include exporting data from your CRM, deleting records from your email platform, and removing analytics data.

Step 4: Add Required Website Elements

Several practical website changes are needed to support compliance.

Cookie consent management. Implement a cookie consent mechanism that allows users to accept or reject non-essential cookies. This is required by some state laws and is a best practice under all of them. The mechanism should distinguish between necessary cookies (like session cookies), analytics cookies, and advertising cookies.

"Do Not Sell or Share" link. California requires a prominent "Do Not Sell or Share My Personal Information" link. Even if your business does not technically "sell" data, many businesses include this link as a precautionary measure. Several other states have similar requirements.

Opt-out mechanisms. Provide clear mechanisms for consumers to opt out of targeted advertising, data sales, and profiling. These can be implemented through your cookie consent tool, a dedicated privacy preferences page, or your privacy contact method.

Step 5: Review Third-Party Relationships

Your obligations extend to how third parties handle data you share with them. Review your relationships with key service providers.

Analytics providers. Google Analytics, Plausible, Fathom, and other analytics tools collect personal data on your behalf. Ensure your analytics setup respects user consent choices and that you have appropriate data processing agreements in place.

Email marketing platforms. Mailchimp, ConvertKit, and similar tools store and process your subscribers' personal data. Review their privacy practices and ensure your data processing agreements are current.

Advertising platforms. If you use Google Ads, Facebook Ads, or other advertising platforms that use tracking pixels, these constitute data sharing (and possibly "selling") under several state laws. Ensure you have proper consent mechanisms before these pixels fire.

E-commerce processors. Payment processors handle sensitive financial data. Verify that your processor complies with applicable privacy laws and PCI DSS standards.

Step 6: Train Your Team

If anyone besides you handles customer data or responds to customer inquiries, they need to understand the basics of your privacy obligations.

What constitutes personal data. Help your team understand that personal data extends beyond names and emails to include IP addresses, device identifiers, browsing behavior, and other digital information.

How to recognize a privacy request. Train team members to identify when a customer is making a data rights request, even if they do not use legal terminology. "Can you delete my account and all my data?" is a deletion request under most state laws.

Where to route requests. Establish a clear process for routing privacy requests to the person responsible for handling them. Requests should never be ignored or delayed.

Handling Consumer Data Rights Requests

When you receive a data rights request, follow this systematic process.

Acknowledge receipt. Send a confirmation that you received the request within a few business days. Include the expected timeline for fulfillment.

Verify identity. Confirm that the person making the request is the individual whose data is being requested. For most small businesses, confirming the email address associated with the request is sufficient.

Search your systems. Check all systems where you store personal data: your website database, CRM, email marketing platform, analytics tools, customer service records, and any other relevant systems.

Fulfill the request. For access requests, compile the data and provide it in a common format (CSV, PDF). For deletion requests, remove the data from all systems where it is stored (with exceptions for data you are legally required to retain). For correction requests, update the inaccurate data.

Confirm completion. Notify the consumer that their request has been fulfilled. For deletion requests, confirm that the data has been deleted and list any exceptions (data retained for legal or security purposes).

Document everything. Keep records of every request received, the actions taken, and the timeline. This documentation demonstrates compliance if you are ever audited or investigated.

Enforcement and Penalties

Understanding the enforcement landscape helps you calibrate your compliance investment appropriately.

Attorney general enforcement. Most state privacy laws are enforced by the state attorney general. Enforcement actions typically begin with an investigation triggered by a consumer complaint, a pattern of violations, or a data breach.

Cure periods. Many state laws include a "cure period" that gives businesses 30 to 60 days to fix a violation before penalties are imposed. However, this grace period is being eliminated in newer laws and through amendments to existing laws. California, for example, no longer provides a mandatory cure period.

Penalties. Fines vary by state but typically range from $2,500 to $7,500 per violation. When each affected consumer constitutes a separate violation, penalties can accumulate rapidly.

Private right of action. Most state privacy laws do not give individual consumers the right to sue businesses directly for privacy violations (with the notable exception of California's data breach provision and Minnesota's broader private right of action). However, this is an evolving area, and more states may add private enforcement rights.

Practical enforcement reality. As of 2026, enforcement has primarily targeted larger businesses and egregious violations. Small businesses face a lower (but not zero) enforcement risk. However, the trend is clearly toward more active enforcement across all business sizes.

Looking Ahead

The state privacy law landscape will continue to evolve throughout 2026 and beyond. Several trends are worth watching.

More states will enact laws. The number of states with comprehensive privacy laws is expected to reach 25 to 30 by the end of 2027. If your state does not yet have a privacy law, it likely will soon.

Federal legislation remains uncertain. While the American Privacy Rights Act (APRA) and similar federal proposals have been introduced, comprehensive federal privacy legislation has not yet passed. Until it does, the state-by-state patchwork will continue.

Enforcement will intensify. As state privacy agencies build capacity and gain experience, enforcement activity will increase. The honeymoon period for new laws is ending.

Consumer awareness is growing. More consumers are learning about their privacy rights and exercising them. The volume of data rights requests small businesses receive will increase over time.

Technology will help. Privacy compliance tools designed for small businesses are becoming more affordable and user-friendly. Automated consent management, data mapping, and request fulfillment tools are making compliance more accessible.

Your 30-Day Compliance Plan

Do not try to achieve perfect compliance overnight. Start with the highest-impact items and build from there.

Week 1. Conduct your data inventory. Document what personal data your website collects, where it goes, and who has access. Review your current privacy policy (or lack thereof).

Week 2. Update or create your privacy policy based on your data inventory. Implement a cookie consent mechanism if you do not already have one. Add a privacy contact email to your website.

Week 3. Set up your consumer rights request process. Create a simple intake form or email template. Document your fulfillment procedures. Train any team members who handle customer data.

Week 4. Review your third-party service providers and data processing agreements. Implement "Do Not Sell or Share" opt-out mechanisms where required. Test your consent management tools to ensure they function correctly.

Ongoing. Monitor for new state laws and amendments. Review your privacy policy quarterly. Respond to consumer requests within required timelines. Keep records of all compliance activities.

The state privacy law landscape may seem overwhelming, but the underlying requirements are consistent and manageable. Build a single, comprehensive compliance program that meets the most stringent state requirements, and you will be well-positioned to handle whatever new legislation emerges. The investment in privacy compliance protects your business from regulatory risk, builds customer trust, and positions you as a responsible steward of the data your customers entrust to you.