State Opt-Out Requirements for 2026

Expanding State Data Privacy Laws

Privacy regulations in the United States have expanded dramatically by 2025. What began as a single state law in California has grown to include 19 states with varying requirements. Each state has created its own approach to consumer opt-out rights.

This expansion reflects growing public concern about data privacy. It also shows increasing regulatory attention to how businesses handle consumer information. Understanding the differences between these regulations is crucial for effective compliance.

Table of Contents

Established Privacy Frameworks

California
Virginia
Colorado
Connecticut
Utah
Texas
Nevada
Tennessee
Minnesota
Maryland

New Privacy Laws in 2025

Delaware
Iowa
Nebraska
New Hampshire
New Jersey

New Privacy Laws in 2026

Indiana
Kentucky
Rhode Island

Understanding Key Privacy Concepts and Definitions

Definition of Personal Information
Definition of "Sale"
Definition of Targeted Advertising
Definition of Profiling
Definition of Sensitive Data

Types of Privacy Opt-Out Requirements

Data Sale Opt-Out Requirements
Targeted Advertising Opt-Out Requirements
Data Sharing Opt-Outs (California-Specific)
Profiling Opt-Outs

Consumer Opt-Out Mechanism Requirements

Website Mechanisms
Universal Opt-Out Signals
Timing Requirements
The California Delete Act (SB 362) & DROP
Anti-Deceptive Interface Provisions

Established Privacy Frameworks

California (CCPA/CPRA)

California pioneered comprehensive consumer privacy rights in the United States. The California Consumer Privacy Act (CCPA), enhanced by the California Privacy Rights Act (CPRA), created a robust framework. Many other states have used it as inspiration.

Key features of California's framework include:

• Broad definition of "sale" covering both monetary and non-monetary exchanges
• Required "Do Not Sell or Share My Personal Information" link
• Mandatory recognition of Global Privacy Control (GPC) signals
• Regulatory oversight shared between the Attorney General and the California Privacy Protection Agency
• Specific rules against deceptive design patterns that impair privacy choices

The California model has influenced other states while maintaining unique elements. This makes compliance particularly important for businesses operating in the nation's largest state economy.

Virginia (CDPA)

Virginia's Consumer Data Protection Act took effect in January 2023. It differs from California in several key aspects:

• Narrower definition of "sale" limited to monetary exchanges
• More business-friendly exemptions
• Consumer rights are structured in a way that many subsequent state laws have copied
• No requirements for browser-based universal opt-out signals
• Specific protections for sensitive data categories

Virginia's approach balances consumer privacy with business practicality. It has created a framework that many other states have followed.

Colorado (CPA)

Colorado implemented a privacy framework with several distinctive features:

• Universal opt-out signal recognition, required as of July 2024
• Consumer right to opt out of profiling for significant decisions
• A broader definition of "sale" similar to California
• Phased implementation, allowing businesses to adapt
• Rules requiring the minimum amount of personal data collection

Colorado's requirement that businesses recognize universal opt-out mechanisms presents a significant technical challenge. This requirement has influenced how many businesses approach privacy compliance across all states.

Connecticut (CTDPA)

Connecticut closely follows Colorado's model with these key elements:

• Universal opt-out signal requirements, effective in 2025
• Enhanced protections for sensitive data categories
• Consumer rights to opt out of targeted advertising
• Profiling restrictions similar to Colorado
• Comprehensive consent requirements

Connecticut's approach combines elements from several other state frameworks while adding unique protections for state residents.

Utah (UCPA)

Utah's Consumer Privacy Act takes a more business-friendly approach:

• Applies to fewer businesses because it requires higher revenue and data processing volumes to trigger compliance obligations
• Limited definition of "sale" similar to Virginia
• Streamlined consumer rights framework
• Fewer compliance burdens for smaller businesses
• Simplified consumer request process

Texas (TDPSA)

Texas adopted a hybrid approach with the Texas Data Privacy and Security Act:

• Elements from both Virginia and Colorado frameworks
• Industry-specific exemptions
• Sale and targeted advertising opt-out requirements
• Customized approach reflecting Texas business interests
• Phased implementation timeline

Texas exempts specific industries from certain requirements to protect consumers while supporting business growth.

Nevada

Nevada implemented a narrower law focused specifically on online sales:

• Limited to online operators
• Narrow focus on sales of personal information
• Predates most comprehensive state frameworks
• Simplified compliance requirements
• Less extensive consumer rights compared to newer laws

Nevada's early entry into privacy regulation focuses primarily on online data sales rather than comprehensive privacy protections.

Tennessee (TPPA)

Tennessee's law employs a tiered approach to business compliance, balancing regulatory requirements with business capabilities:

• Tiered Compliance Thresholds: Obligations are based on specific data processing volumes and revenue.

• Virginia-Style Framework: Heavily influenced by the VCDPA model regarding consumer rights.

• Safe Harbor Provisions: Offers legal protections for businesses that maintain a written privacy program that reasonably conforms to NIST standards.

• Focused Consumer Rights: Includes the right to access, correct, delete, and obtain a copy of personal data.

• Limited "Sale" Definition: Restricted primarily to monetary exchanges.

Tennessee balances consumer privacy with practical scalability for mid-sized businesses.

Minnesota (MCDPA)

Minnesota combines robust opt-out rights with specific data security requirements, emphasizing both consumer choice and protection:

• AI & Profiling Rights: Includes a unique "Right to Question" automated results used in profiling.

• Broad Scope of "Sale": Covers the exchange of data for monetary or other valuable consideration (similar to California).

• Mandatory Universal Opt-Out: Requires businesses to honor browser-based privacy signals (GPC).

• Inventory Requirements: Obligates businesses to maintain a data inventory to fulfill consumer requests effectively.

• Stricter Retention Rules: Mandates that personal data not be kept longer than necessary for the purpose it was collected.

Minnesota’s approach is one of the more comprehensive "non-California" models, with a heavy focus on data governance.

Maryland (MODPA)

Maryland's approach is currently one of the strictest in the nation, emphasizing transparency and aggressive data minimization:

• Strict Data Minimization: Prohibits collecting more data than is "reasonably necessary" to provide a requested product or service.

• Anti-Discrimination Provisions: Strong language preventing the use of personal data to discriminate against consumers.

• Heightened Sensitive Data Protections: Strict limitations on the sale of sensitive personal information.

• Universal Opt-Out Support: Legally requires recognition of universal opt-out mechanisms.

• Comprehensive Disclosure Requirements: Necessitates clear, granular reporting on third-party data sharing.

Maryland’s law represents a shift toward "Privacy by Default," placing a higher burden on businesses to justify data collection.

New Privacy Laws in 2025

January 2025 marked a significant expansion of privacy regulations with five new state laws taking effect:

Delaware

Delaware's Personal Data Privacy Act closely follows Virginia's model with:

• Enhanced protections for sensitive data categories
• Virginia-style framework for consumer rights
• Similar exemptions to the Virginia model
• A balanced approach to regulatory requirements
• Rules requiring businesses to collect only the minimum amount of personal data

Iowa

Iowa implemented a business-friendly approach to privacy:

• Higher thresholds for businesses subject to the law
• Required opt-out mechanisms for sales and targeted advertising
• More limited consumer rights compared to California
• Focus on transparency in data practices
• Streamlined compliance requirements

Nebraska

Nebraska's Consumer Data Privacy Act features:

• Comprehensive opt-out framework
• Specific provisions targeting data brokers
• Consumer rights modeled after Virginia
• Clear guidelines on business responsibilities
• Reasonable security requirements

New Hampshire

The New Hampshire Information Privacy Act implemented:

• Comprehensive opt-out requirements effective January 1
• Substantial consent requirements for sensitive data
• Clear disclosure obligations
• Consumer rights to access and delete personal information
• Rules requiring businesses to collect only the minimum amount of personal data

New Jersey

New Jersey's privacy law became effective January 15, featuring:

• Broad requirements for honoring consumer privacy choices
• Robust enforcement mechanisms
• Comprehensive definition of personal information
• Detailed compliance obligations
• Specific security requirements

New Privacy Laws for 2026

Indiana (ICDPA)

Effective January 1, 2026, Indiana’s privacy law mirrors the Virginia model with a focus on business-friendly compliance:

• Applicability Thresholds: Applies to businesses controlling data of 100,000+ Indiana residents (or 25,000 if 50% of revenue comes from data sales).

• 30-Day Right to Cure: Provides a permanent window for businesses to fix alleged violations before facing Attorney General enforcement.

• Response Timelines: Mandates a 45-day window for responding to consumer requests, with a possible 45-day extension.

• Limited Sensitive Data Scope: Definition of "sensitive" data is narrower than California, focusing on specific health diagnoses and identifiers.

• No Rulemaking Authority: The Attorney General cannot create new administrative rules, providing more regulatory stability for businesses.

Kentucky (KCDPA)

Effective January 1, 2026, Kentucky became the 15th state to adopt a comprehensive privacy framework:

• Monetary "Sale" Definition: Limits the definition of a data "sale" strictly to exchanges for monetary consideration.

• Permanent Right to Cure: Includes a 30-day period to remedy violations with no expiration date for this provision.

• DPIA Requirements: Starting June 1, 2026, businesses must conduct and document Data Protection Impact Assessments for high-risk processing.

• Consumer Rights Suite: Grants the right to access, correct, delete, and obtain a portable copy of personal data.

• Profiling Opt-Outs: Allows consumers to opt out of automated decision-making for legal or significant life effects.

Rhode Island (RIDTPPA)

Effective January 1, 2026, Rhode Island’s law is one of the more transparent and stringent for data brokers and service providers:

• Specific Third-Party Disclosures: Uniquely requires businesses to identify the actual names of third parties to whom data is sold, not just categories.

• No Right to Cure: Unlike Indiana and Kentucky, Rhode Island does not provide a grace period to fix violations before penalties apply.

• Lower Thresholds: Applies to businesses controlling data of 35,000+ residents (or 10,000 if 20% of revenue comes from sales).

• Intentional Disclosure Penalties: Imposes fines between $100 and $500 per disclosure for intentional violations.

• Conspicuous Policy Requirements: Mandates that privacy notices be placed in "another conspicuous location" if not clearly visible on the homepage.

Understanding Key Privacy Concepts and Definitions

Definition of Personal Information

Most state privacy laws define personal information broadly. Personal information includes any data that names a person, describes them, or connects to them or their home.

This includes:

• Direct identifiers (names, email addresses, government IDs)
• Indirect identifiers (IP addresses, device IDs, cookies)
• Geolocation data (precise location information)
• Biometric information
• Professional or employment information
• Education information
• Internet activity information
• Inferences drawn from other personal information

The broad definition covers more than traditional personally identifiable information (PII). This creates broader compliance obligations.

Definition of "Sale"

How states define "sale" creates significant differences in compliance requirements:

California's Broad Definition

California considers it a 'sale' when businesses exchange personal information for money or other benefits.

Virginia and Utah's Narrow Definition

These states limit "sale" to exchanges of personal information for monetary consideration only, excluding many data-sharing arrangements.

Colorado, Connecticut, and Texas

These states follow California's broader approach. They include valuable non-monetary considerations, capturing more data-sharing activities.

These definitions require businesses to carefully track how they share consumer data and implement state-specific compliance measures.

Definition of Targeted Advertising

Targeted advertising generally refers to displaying advertisements based on personal data obtained from a consumer's activities over time and across different websites or applications.

Key elements include:

• Cross-context tracking
• Building consumer profiles
• Personalization based on browsing behavior
• Ad selection based on inferred interests or characteristics

All major state privacy laws now allow consumers to opt out of targeted advertising. The specific definitions and implementation requirements vary by state.

Definition of Profiling

Profiling involves the automated processing of personal data to evaluate, analyze, or predict aspects of an individual's behavior, preferences, interests, or characteristics.

Colorado and Connecticut let consumers stop automated decisions about important matters like:

• Employment eligibility
• Financial services opportunities
• Housing eligibility
• Educational opportunities
• Healthcare access

Definition of Sensitive Data

State laws generally define sensitive data as categories requiring special protection, including:

• Racial or ethnic origin
• Religious beliefs
• Health data
• Sexual orientation
• Genetic or biometric data
• Precise geolocation
• Children's data
• Financial account numbers
• Government identifiers

Most state privacy laws require explicit consent for processing sensitive data. This creates additional compliance obligations beyond standard opt-out requirements.

Types of Privacy Opt-Out Requirements

Data Sale Opt-Out Requirements

All comprehensive state privacy laws provide consumers the right to opt out of sales of their personal information. Practical implementation varies based on how each state defines "sale."

Example scenarios affected by varying definitions:

• Data appending services: Paying a company to enhance your customer data is a "sale" in all states.
• Advertising partnerships: Trading customer data for ad space is a "sale" in CA, CO, CT, and TX, not in VA and UT.
• Analytics services: Sharing data with tools that analyze it might be a "sale" in some states.

These differences significantly impact compliance strategies across states.

Targeted Advertising Opt-Out Requirements

All major state laws let consumers stop companies from using their data for targeted ads.

Implementation typically requires:

• Providing an explicit opt-out mechanism
• Communicating opt-out preferences to third-party advertising partners
• Halting data collection or sharing for advertising purposes
• Updating ad technology configurations
• Honoring opt-out preferences across platforms and devices

California addresses targeted advertising within its "sharing" concept. Other states make it a distinct opt-out category.

Data Sharing Opt-Outs (California-Specific)

California's CPRA uniquely established "sharing" as a specific opt-out category:

• Targets cross-context behavioral advertising specifically
• This applies even when no money changes hands
• Requires a "Do Not Sell or Share My Personal Information" link
• Closes loopholes in the original CCPA
• Represents an enforcement priority for California regulators

Sephora paid $1.2 million because they ignored customer opt-out requests. This shows regulatory seriousness about this requirement.

Profiling Opt-Outs

States like Colorado and Connecticut extend opt-out rights to include automated decision-making:

• Allows consumers to opt out of profiling for significant decisions
• Covers decisions affecting financial opportunities, employment, housing
• Requires implementation of technical mechanisms to honor these requests
• Involves reviewing automated decision systems
• Necessitates documentation of profiling activities and opt-out mechanisms

Consumer Opt-Out Mechanism Requirements

State privacy laws specify how businesses must implement opt-out mechanisms:

Website Mechanisms

Most states require:

• Clear, conspicuous links or buttons for opt-out requests
• Preference centers, allowing granular choices
• Simple forms for submitting requests
• Privacy policy disclosures about available opt-out rights
• Multiple methods for submitting requests

California specifically requires that business home pages prominently display a "Do Not Sell or Share My Personal Information" link.

Universal Opt-Out Signals: The GPC Standard

A significant trend is the requirement to honor universal opt-out mechanisms.

In 2026, honoring Global Privacy Control (GPC) has shifted from a recommended best practice to a mandatory technical requirement across 12 states.

• Mandatory Recognition: As of January 1, 2026, businesses must honor GPC signals in California, Colorado, Connecticut, Delaware, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, and Texas.

• Visible Confirmation (New for 2026): California now requires businesses to display a visible notification to the user (e.g., a badge or banner stating "Opt-Out Request Honored") once a GPC signal is detected. Background processing alone is no longer compliant.

• Joint Enforcement Sweeps: The Attorneys General of California, Colorado, and Connecticut have initiated coordinated "sweeps" to identify and penalize websites that fail to technically detect universal signals.

• Technical Implementation: Compliance requires your site to automatically detect the navigator.globalPrivacyControl browser variable and suppress all "sale" or "sharing" pixels (such as Meta or Google Ads) without requiring a manual click from the user.

• Lead-Gen Risk: If a user with GPC enabled submits a lead form, their data cannot be "sold" or "shared" with third parties for marketing purposes, regardless of whether they checked a consent box, as the browser signal acts as a preemptive opt-out.

These requirements mean businesses must automatically implement technical solutions to detect and honor browser-based privacy signals.

Timing Requirements

State and federal regulations specify how quickly businesses must honor opt-out requests. For lead-gen and sales teams, it is critical to distinguish between general data privacy requests and telemarketing opt-outs:

• The Federal 10-Day Rule (TCPA): As of April 11, 2025, the FCC’s "Revocation of Consent" rule is in full effect. Businesses must honor "Do Not Call" and SMS opt-out requests within 10 business days. This federal mandate now supersedes the more lenient 30-day window previously allowed.

• State Privacy Timelines (45 Days): Most state laws (like California’s CCPA or Indiana’s ICDPA) still allow 45 days to process general requests, such as a request to delete data or opt out of data "sales" that aren't related to direct calling/texting.

• Extensions: For state-level privacy requests, a 45-day extension is often available with consumer notice. However, there is no extension for the 10-day federal marketing opt-out.

• Clarification Messages: Under the new federal rule, you may send one final text to clarify the scope of an opt-out (e.g., "Do you want to stop all messages or just marketing?"). If the consumer doesn't reply, you must treat it as a total opt-out and stop all communications within the 10-day window.

• Record Maintenance: You are required to maintain a "suppression list" or record of these opt-outs to ensure they are not inadvertently re-engaged by different sales pods or systems.

TCPA Roadmap: The "Global Revocation" Delay

A major provision of the FCC’s recent order has been delayed, giving businesses more time to adjust their backend systems:

• • The "Stop-One, Stop-All" Rule: This requires a single opt-out request to apply globally across all "unrelated" lines of business within a company.

  • New Deadline: On January 6, 2026, the FCC extended the waiver for this provision until January 31, 2027.

  • Current Status: Until 2027, companies may continue to manage opt-outs on a per-category or per-business-unit basis, provided they offer a clear way for consumers to choose specific categories.

The California Delete Act (SB 362) & DROP

As of January 1, 2026, California has launched the Delete Request and Opt-out Platform (DROP). This "one-click" system allows residents to request that all registered data brokers delete their personal information simultaneously.

• Who is affected? Any company meeting California’s broad "Data Broker" definition—which often includes lead providers and data enrichment services.

• Key Deadline: While the platform is live for consumers now, data brokers must begin retrieving and processing these requests every 45 days starting August 1, 2026.

• The Risk: Non-compliance carries administrative fines of $200 per request, per day.

How to navigate the 2026 California Delete Act requirements

Anti-Deceptive Interface Provisions

Several states prohibit using deceptive interfaces to undermine privacy choices:

• California explicitly bans practices that impair consumer choice
• Colorado includes similar provisions
• Other states have general prohibitions on deceptive practices
• User interfaces must not confuse or mislead consumers
• Companies cannot make opting out difficult or confusing for users.

See also:

–Marketing Compliance

–Telemarketing Call Time Restrictions by State

Disclaimer: This guide provides general information about privacy regulations and does not constitute legal advice.