US state privacy patchwork in 2026: a SaaS compliance map for 20 active laws

As of June 2026, twenty US states have enacted comprehensive consumer privacy laws, and the California Privacy Protection Agency (CPPA) has now issued the largest CCPA penalty on record at $1.35 million against Tractor Supply on September 30, 2025, while Texas Attorney General Ken Paxton extracted $1.375 billion from Google in May 2025 over Chrome incognito disclosures, Maps location history and Google Photos biometric claims. The complication for any SaaS, fintech or health-tech selling across state lines is that none of those statutes share a single text, threshold, opt-out signal list or processor-contract clause. Building twenty parallel privacy programs is operationally impossible, and the federal SECURE Data Act (HR 8413, April 2026) does not yet have the bipartisan support to preempt the patchwork. This post maps the active US state privacy landscape in 2026, names the obligations that overlap and the ones that do not, and lays out one unified privacy-ops architecture, including a data subject request (DSR) portal, a universal opt-out signal handler and a single data inventory, that satisfies every state without twenty separate workflows.

Privacy counsel in 2024 still talked about a handful of state laws. In 2026 the count is twenty: California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah and Virginia have comprehensive consumer privacy statutes in force or phasing in through 2026. Most of them follow the Virginia Consumer Data Protection Act (VCDPA) template, with revenue or processing thresholds (typically processing 100,000 consumers, or 25,000 consumers with a sale-of-data revenue component). California's CCPA as amended by the CPRA keeps its $25 million revenue test or 100,000 consumer threshold, plus the only private right of action in the country, limited to specified data breaches under Civil Code section 1798.150. Texas is the outlier that breaks the threshold model.

The Texas Data Privacy and Security Act (TDPSA) applies to any business conducting trade in Texas or targeting Texas residents that processes or sells personal data and is not a small business under the SBA size standard. Revenue is irrelevant. A two-person SaaS in Surat or Bengaluru that signs even one Texas customer is in scope. The interpretive question every privacy lead is asking is whether the SECURE Data Act or its successor will preempt the patchwork. Industry comments to date split between a federal floor model (harmonization without removing state private rights of action) and full preemption (the model the American Privacy Rights Act tried and failed). For now, planning has to assume the patchwork persists through 2027. The good news is that the obligations themselves cluster into five buckets, and a single control set can satisfy all of them. The rest of this post maps those buckets.

Every one of the twenty statutes grants four core consumer rights: access, deletion, correction and portability. The variance is in the response window, the appeal mechanism and the categories of data covered. California sets 45 days to substantively respond to a verifiable consumer request, extendable by another 45 with notice. Virginia, Colorado, Connecticut and most of the VCDPA-template states use the same 45-day clock with a 45-day extension. Texas TDPSA also uses 45 days, with a mandatory appeal mechanism if a request is denied, and a route for the consumer to contact the Texas AG if the appeal fails. Utah is the outlier in the other direction with a 45-day response but no correction right.

Sensitive data is the second axis of variance. California and Utah use an opt-out model for sensitive data processing. Every other state requires opt-in consent before processing sensitive data, which the statutes define to include racial or ethnic origin, religious beliefs, mental or physical health diagnoses, sexual orientation, citizenship status, genetic and biometric data, precise geolocation and children's data. A SaaS that ingests any of those categories needs an opt-in flow that defaults off for eighteen of the twenty states. Profiling and automated decision-making rights are the newest layer. Colorado, Connecticut, Texas and Oregon all give consumers a right to opt out of profiling that produces legal or similarly significant effects. California's CPPA finalized its automated decision-making technology (ADMT) rules in 2025 with phased compliance through 2026, adding a pre-deployment risk assessment and consumer notice obligation. For a fintech using credit-decisioning models or a health-tech using triage scoring, this is the most operationally heavy right in the entire patchwork. One DSR portal, with a single intake form, identity verification flow, fulfillment workflow and 45-day SLA, can satisfy every state if it routes correctly on the back end. The portal must record the state of residence, the request type, the verification method and the response date, because state AGs subpoena that log first when an enforcement action opens.

Five states now require businesses to recognize a universal opt-out signal, in practice the Global Privacy Control (GPC) browser header. California was first, with the CPPA's March 2025 enforcement order against Honda for $632,500 turning on the failure to honor opt-out rights alongside excessive verification on an opt-out webform. Colorado, Connecticut and Oregon followed under their respective consumer privacy statutes, and Texas added GPC recognition under TDPSA.

The CPPA's September 30, 2025 settlement with Tractor Supply for $1.35 million cited the failure to honor GPC as one of three findings, alongside missing service-provider contract terms and inadequate notices to job applicants. The engineering work is small but the design pattern matters. The web property reads the GPC header, sets an opt-out cookie scoped to the user's browser, and propagates that opt-out to advertising tags, analytics SDKs, CRM systems and any downstream processors. The CPPA's enforcement record shows that propagation to Meta Pixel, Google Ads remarketing and similar tags is the part most companies fail. Texas added a homepage disclosure wrinkle that no other state has. TDPSA requires a sale-of-data disclosure on the homepage when a business sells personal data, with specific statutory language for sales of sensitive or biometric personal data. Fixing this is a one-line HTML change, but you have to know to make it. The unified architecture treats GPC as the system of record for opt-out preference, with state-specific UI prompts layered on top for the disclosures that vary.

The most underbuilt control in 2026 is the processor contract. Every state statute requires written contracts between controllers and processors that bind the processor to specified data-handling obligations, but the required terms vary by state, and most SaaS contracts written before 2023 are now non-compliant. The CPPA's Tractor Supply order found that the company's service-provider agreements lacked the mandatory CCPA elements: purpose limitation, prohibition on retaining or using the personal information outside the direct business relationship, prohibition on combining the data with information from another source, and the obligation to assist with consumer requests.

The $1.35 million penalty is the floor for that finding, plus mandated remediation of the compliance program. Colorado, Connecticut, Virginia and Texas all use a similar but not identical list. Texas TDPSA adds a requirement that processor contracts include cooperation with audits and the right to terminate if the processor is in material breach. Colorado adds a requirement that subprocessors be flowed-down by written notice. The pragmatic move is to build a single master data processing addendum (DPA) that contains the union of all twenty states' required terms. The DPA needs four exhibits: a list of processing purposes, a list of subprocessors, the technical and organizational measures, and the cross-border transfer mechanism if any data leaves the US. A privacy program that already produces DPDP-style processor artifacts can adapt them upward for US state law rather than starting from scratch. Vendor onboarding is where this control breaks. A procurement team that signs a vendor's standard MSA without a DPA addendum creates a TDPSA and CCPA violation on day one of the relationship. The fix is a procurement gate that requires DPA-signed status before any production data flows.

Nine states now require written data protection assessments (DPAs) before engaging in high-risk processing: California, Colorado, Connecticut, Indiana, Maryland, Minnesota, Oregon, Texas and Virginia. The trigger list is broadly aligned: targeted advertising, sale of personal data, processing of sensitive data, profiling that produces legal or significant effects, and any processing that presents a heightened risk of harm. The format varies. Colorado has published a detailed rule that lists multiple required content elements, including the categories of data, the operational context, the risks to consumer rights, and the mitigation measures.

Texas TDPSA lists similar elements with less prescriptive detail. California's CPPA finalized risk assessment regulations in 2025 that require annual filings for businesses that conduct ADMT. The interpretive question that has not settled is when assessments must be refreshed. Colorado's rule requires reassessment when there is a material change to the processing. California requires annual review. The pragmatic answer is to bind the DPA to a change-control workflow: any new data field, new processor, new model, or new business purpose triggers a DPA review. This is also where AI risk assessment overlaps with privacy. The CPPA's ADMT rules and the parallel Colorado AI Act (SB 24-205) both require an impact assessment when an AI system makes consequential decisions about employment, lending, housing, healthcare, education, or essential goods and services. A SaaS that markets a hiring scorer, a credit decisioner, or a clinical triage tool is now in both privacy DPA and AI impact assessment scope, and the document can be one artifact with two annexes. Document discipline matters because state AGs subpoena DPAs in the same letter as the DSR log. A missing or post-hoc DPA is the second-highest-probability enforcement finding after a GPC failure.

The state breach notification laws have not gone away, and the new comprehensive privacy statutes layer on top of them rather than replacing them. A SaaS breach in 2026 triggers between five and twelve separate notification clocks depending on the data, the customers and the regulators in scope. The clocks that matter most: the FTC Safeguards Rule requires non-banking financial institutions to notify the FTC within 30 days of discovering a notification event affecting 500 or more consumers' unencrypted information, effective since May 13, 2024. The SEC requires public companies to disclose material cybersecurity incidents on Form 8-K Item 1.05 within four business days of materiality determination. NYDFS Part 500 requires 72 hours for incidents and 24 hours for ransom payments, with a 30-day explanatory filing. HIPAA requires 60 days to affected individuals, OCR and (for breaches of 500 or more) the media. State breach notification laws generally fall in the 30 to 90 day range. New comprehensive privacy laws do not displace these but do impose additional duties around DSR closure during the incident response window. The harmonization gap is the top general counsel complaint in 2026. The pragmatic approach is to run a single incident severity matrix that maps each breach to the union of applicable clocks, with the shortest clock as the operational target. The CIRCIA final rule, now scheduled for May 2026, will add a 72-hour incident clock and a 24-hour ransom-payment clock for sixteen critical-infrastructure sectors, on top of all of the above.

One artifact every privacy lead should keep on the wall is a single-page map of who applies, what rights they grant, whether they require GPC, and what the penalty ceiling is. The compressed version below is what we use as the starting point in client engagements. State (statute) Threshold GPC required DPA required Penalty ceiling California (CCPA/CPRA) $25M rev / 100K consumers / 50% sale-of-data revenue Yes Yes (risk assessment) $7,988 per intentional violation Texas (TDPSA) Any non-small business targeting Texans Yes Yes $7,500 per violation Virginia (VCDPA) 100K consumers / 25K with 50% sale revenue No Yes State AG enforcement Colorado (CPA) 100K consumers / 25K with sale revenue Yes Yes State AG enforcement Connecticut (CTDPA) 100K consumers / 25K with 25% sale revenue Yes Yes State AG enforcement Utah (UCPA) $25M rev + 100K consumers / 25K with 50% sale No No State AG enforcement Oregon (OCPA) 100K consumers / 25K with 25% sale Yes Yes State AG enforcement Florida (FDBR) $1B revenue + targeted-advertising trigger No Yes State AG enforcement Indiana (ICDPA) 100K consumers / 25K with 50% sale No Yes State AG enforcement New Jersey (NJDPA) 100K consumers / 25K with sale revenue Pending Yes State AG enforcement The other ten states (Delaware, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, Rhode Island, Tennessee) sit on VCDPA-style thresholds and state AG enforcement.

Penalties stack per violation, per consumer. The CPPA can also order disgorgement and injunctive relief. What the table does not show is the asymmetric risk. Texas AG Paxton has demonstrated, with the $1.4 billion Meta biometric settlement in July 2024 and the $1.375 billion Google settlement in May 2025, that state AGs can layer general consumer-protection statutes on top of the privacy law to extract settlements orders of magnitude above the per-violation cap. Building to the per-violation cap is the wrong floor. Building to defensibility against an aggregated consumer-protection theory is the right one.

Twenty workflows is operationally untenable. The architecture that scales is built around three artifacts and one control set. Artifact one is a single data inventory keyed on data element, system of record, processing purpose, retention period, lawful basis (where state law requires one), sensitivity tag and onward transfer. Every DPA, every DSR fulfillment, every breach scoping and every processor contract derives from this inventory. If the inventory is wrong, every downstream control is wrong.

Artifact two is the DSR portal, with state-aware routing on the back end. Front end is one form. Back end identifies the resident state, applies the right verification standard (California is the strictest), the right rights menu (Utah hides correction), the right appeal mechanism (Texas requires it), and the right SLA. The portal logs everything, because the log is the first thing subpoenaed. Artifact three is the master DPA template, with state-specific annexes generated at signature time. Procurement signs no vendor without one. Legal reviews any deviation. The DPA flows to the subprocessor inventory, which feeds the data inventory. The control set is the union of: GPC handling, sensitive-data opt-in flow, ADMT and profiling notice and opt-out, DPA workflow tied to change control, processor contract gate, breach response runbook with the multi-clock matrix, annual risk and AI impact assessment, and an incident-aware DSR pause. Annual penetration testing against the DSR portal and the consent management platform catches the technical failures that the CPPA and Texas AG find first. For US SaaS, fintech and health-tech that need scale without scaling US headcount, and for Indian SaaS shipping into US markets that need a US-mapped privacy program, Certbar Security runs this architecture as a managed engagement. We are CERT-In empanelled, deliver from Surat and Mumbai with a 24x7 SOC that covers US business hours, and produce regulator-mapped audit evidence in the format US state AGs request. The decision is whether to keep building twenty workflows in parallel, or one unified privacy operation that satisfies all of them.