State Privacy Laws: What E-Commerce Businesses Need to Know in 2026

The State Privacy Landscape in 2026

The United States now has more than 20 comprehensive state privacy laws on the books, and for e-commerce businesses selling nationwide, the compliance burden has never been higher. Unlike the EU's unified GDPR, the U.S. has taken a patchwork approach where each state sets its own rules, thresholds, and enforcement mechanisms.

If you operate an online store that ships to customers in multiple states — or even collects data from visitors in those states — you likely have obligations under several of these laws simultaneously.

Which States Have Comprehensive Privacy Laws?

As of 2026, the following states have enacted comprehensive consumer privacy legislation:

• California (CCPA/CPRA) — The original and still the most expansive, with a dedicated enforcement agency (the CPPA)
• Virginia (VCDPA) — Effective since January 2023
• Colorado (CPA) — Effective since July 2023
• Connecticut (CTDPA) — Effective since July 2023
• Utah (UCPA) — Effective since December 2023
• Texas (TDPSA) — Effective since July 2024
• Oregon (OCPA) — Effective since July 2024
• Montana (MCDPA) — Effective since October 2024
• Delaware, Iowa, New Hampshire, New Jersey, Nebraska, Tennessee, Minnesota, Maryland, Indiana, Kentucky, Rhode Island — All effective between 2025 and 2026

Several more states have laws taking effect in 2027 and beyond. The trend is clear: comprehensive state privacy legislation is becoming the norm, not the exception.

Applicability Thresholds: When Do These Laws Apply to You?

Most state privacy laws use one of two triggering thresholds:

1. Revenue threshold — Your business earns above a certain amount of revenue (California uses $25 million in annual gross revenue)
2. Data volume threshold — You process personal data of a certain number of state residents (commonly 100,000 consumers, or 25,000 consumers if you derive revenue from selling data)

For e-commerce businesses, the data volume threshold is often the one that catches you first. If your online store gets significant traffic from a state, you may be processing the personal data of tens of thousands of that state's residents through analytics, cookies, and purchase records alone.

Key point: Even if you have no physical presence in a state, these laws typically apply if you process the personal data of that state's residents and meet the applicable thresholds.

The Laws That Matter Most for E-Commerce

While every applicable law matters, three states deserve extra attention from online retailers:

California (CCPA/CPRA)

California's law is the most aggressive in scope and enforcement. It covers the broadest definition of personal information, grants consumers the most rights (including the right to correct and the right to limit use of sensitive data), and is enforced by a dedicated agency with rulemaking authority. If you sell to California residents, this is your baseline.

Texas (TDPSA)

Texas is notable because it has no minimum data processing threshold. If you process personal data of Texas residents and conduct business in Texas (which includes selling to Texans online), the law applies regardless of your size. This catches small and mid-size e-commerce businesses that might fly under the radar in other states.

Oregon (OCPA)

Oregon's law includes nonprofit organizations and has a lower processing threshold of 25,000 consumers if you process data for non-incidental commercial purposes. It also has a notable provision requiring data protection assessments.

Common Requirements Across State Laws

Despite the patchwork nature, most state privacy laws share a core set of requirements:

• Privacy notice/policy — You must clearly disclose what data you collect, why, and with whom you share it
• Consumer rights — Right to know, right to delete, and right to opt out of sale or targeted advertising
• Data protection assessments — Required for high-risk processing activities like targeted advertising
• Opt-out mechanisms — Most laws require you to honor opt-out preference signals and provide a clear opt-out link
• Vendor contracts — You must have data processing agreements with your service providers and processors
• Reasonable security — You must implement appropriate technical and organizational security measures

How to Approach Multi-State Compliance

The practical approach for most e-commerce businesses is to comply upward — build your compliance program around the most stringent requirements (typically California's CPRA) and then layer in state-specific obligations where they diverge.

Here is a pragmatic framework:

1. Map your data flows — Understand what personal data you collect, where it goes, and who has access
2. Implement the strictest standard — If California requires it, just do it everywhere
3. Track state-specific divergences — Some states have unique provisions (like Oregon's nonprofit coverage or Texas's lack of a threshold)
4. Automate where possible — Use consent management platforms, automated DSAR workflows, and privacy policy generators that stay current
5. Monitor new legislation — New states continue to pass privacy laws, and existing laws get amended

What This Means for Your Business

Ignoring state privacy laws is not a viable strategy. Enforcement is ramping up, with California leading the way and other state attorneys general following. The cost of non-compliance — in fines, legal fees, and reputational damage — far outweighs the cost of building a reasonable compliance program.

The good news is that the core obligations are converging. A well-designed compliance program built on California's framework will get you most of the way there for every other state. The key is staying informed about which laws apply to you and keeping your program current as the landscape evolves.