State Privacy Laws Beyond Texas: What Businesses That Sell Nationwide Must Comply With
As of mid-2026, 20 states have enacted comprehensive consumer data privacy laws, with more legislation pending. There's no federal comprehensive privacy statute, which means every business that collects personal data from customers in multiple states must navigate a patchwork of state laws with different applicability thresholds, different consumer rights, different enforcement mechanisms, and different cure periods. A one-size-fits-all compliance program won't satisfy every state, but a well-designed program built to the most demanding standard will cover most of the variation.
This article covers the state laws most likely to affect a Texas-based business with customers across the country, focusing on how each law differs from the TDPSA (covered in a separate article on this site). If your business has a website, accepts online orders, or collects email addresses from customers nationwide, several of these laws apply to you right now.
California. CCPA/CPRA
California's law is the most comprehensive, the most actively enforced, and the benchmark against which every other state law is measured.
Applicability. The CCPA applies to for-profit businesses doing business in California that meet any of three thresholds: annual gross revenue exceeding $26.625 million (adjusted effective January 1, 2025), buying, selling, or sharing the personal information of 100,000 or more California residents, or deriving 50 percent or more of annual revenue from selling or sharing personal information. Unlike the TDPSA (which exempts SBA-defined small businesses), the CCPA uses fixed numeric thresholds.
Key differences from Texas. California has a dedicated enforcement agency (the California Privacy Protection Agency, or CPPA) in addition to the AG. California provides a limited private right of action for data breaches involving specific categories of unencrypted personal information, making it the only state where individual consumers can sue directly. California eliminated its cure period (the window a business gets to fix a violation before enforcement begins) entirely. California requires a "Do Not Sell or Share My Personal Information" link and a "Limit the Use of My Sensitive Personal Information" link on the business's homepage. California's definition of "sale" includes any exchange of personal information for "valuable consideration," which is broader than most states' sale definitions and can encompass data sharing with advertising partners. Effective January 1, 2026, California's ADMT regulations require businesses using automated decision-making technology for significant consumer decisions to provide opt-out rights and pre-use notices. Penalties run up to $2,500 per unintentional violation and $7,500 per intentional violation, with no aggregate cap, assessed per consumer per violation.
Compliance priority. If you comply with California first, you'll satisfy approximately 80 percent of every other state's requirements by default.
Virginia. VCDPA
Virginia was the second state to enact a comprehensive privacy law, and its framework became the template most subsequent states followed, including Texas.
Applicability. Businesses that conduct business in Virginia or produce products or services targeted to Virginia residents and that either process the personal data of at least 100,000 Virginia consumers annually, or process the personal data of at least 25,000 Virginia consumers and derive over 50 percent of gross revenue from the sale of personal data. Virginia excludes employee and B2B data from its consumer count.
Key differences from Texas. Virginia's 30-day cure period has no sunset (same as Texas). Virginia doesn't require recognition of universal opt-out mechanisms or GPC signals (unlike Texas, which requires GPC recognition as of January 1, 2025). Virginia's VCDPA was amended in 2026 by SB 338 to prohibit controllers from selling precise geolocation data, a restriction Texas hasn't adopted. Enforcement is exclusively through the AG with no private right of action (same as Texas).
Colorado. CPA
Applicability. Businesses that conduct business in Colorado or produce products or services intentionally targeted to Colorado residents and that either process the personal data of 100,000 or more Colorado consumers annually, or process the personal data of 25,000 or more consumers and derive revenue from selling personal data.
Key differences from Texas. Colorado's 60-day cure period expired on January 1, 2025, meaning the AG can bring enforcement actions without providing any opportunity to cure. Colorado was the first state to require honoring a universal opt-out mechanism (GPC), with regulations approved under CPA Rule 4 CCR 904-3, Part 5. Colorado's AG and district attorneys share enforcement authority, giving local prosecutors independent enforcement power. Colorado requires data protection assessments for processing activities that present heightened risk, similar to the TDPSA.
Connecticut. CTDPA
Applicability. Businesses that conduct business in Connecticut or produce products or services targeted to Connecticut residents and that either process the personal data of 100,000 or more Connecticut consumers (excluding data processed solely for payment transactions), or process the data of 25,000 or more consumers and derive more than 25 percent of gross revenue from selling personal data.
Key differences from Texas. Connecticut's 60-day cure period expired on January 1, 2025. Connecticut requires universal opt-out mechanism recognition (GPC). Connecticut SB 3 (effective October 2024) added heightened protections for teen data, including restrictions on targeted advertising to consumers aged 13 to 15. Connecticut SB 4 (signed 2026) added a California-style data-broker registration regime, banned the sale of geolocation data, and added facial-recognition provisions. AG-only enforcement with no private right of action.
Maryland. MODPA
Applicability. Businesses that conduct business in Maryland or target products or services to Maryland residents and that either process the personal data of 35,000 or more Maryland consumers, or process the personal data of 10,000 or more consumers and derive more than 20 percent of gross revenue from selling personal data.
Key differences from Texas. Maryland stands apart from the Virginia-model states because it prohibits the sale of sensitive personal data entirely, regardless of consumer consent. Under the TDPSA (and most other states), selling sensitive data is permitted with opt-in consent. Maryland's data minimization requirements go beyond California's, restricting collection to data that's "reasonably necessary and proportionate" to the disclosed purpose. Maryland's approach represents a shift from the opt-out model (where businesses can collect and process data unless the consumer objects) toward substantive restrictions on data practices that consent can't override.
Oregon. OCPA
Applicability. Businesses that conduct business in Oregon or provide products or services to Oregon residents and that either process the personal data of 100,000 or more Oregon consumers, or process the personal data of 25,000 or more consumers and derive 25 percent or more of annual gross revenue from selling personal data.
Key differences from Texas. Oregon has no cure period, meaning violations can result in immediate enforcement action. Oregon's sale definition is narrower than California's but broader than Virginia's. Oregon amended its law to bar the sale of geolocation data within a 1,750-foot radius of the consumer. Oregon requires universal opt-out mechanism recognition.
Delaware. DPDPA
Applicability. Businesses that conduct business in Delaware or produce products or services targeted to Delaware residents and that either process the personal data of 35,000 or more Delaware consumers, or process the personal data of 10,000 or more consumers and derive more than 20 percent of gross revenue from selling personal data. Delaware's 35,000-consumer threshold is among the lowest in the country, which means more mid-sized businesses are covered than under states with 100,000-consumer thresholds.
Key differences from Texas. Delaware's cure period expired on January 1, 2026. Delaware requires opt-in consent for the processing of known minors' sensitive data. AG-only enforcement.
Washington. My Health My Data Act
Washington's law isn't a comprehensive consumer privacy statute. It's a category-specific law that applies to any business collecting, sharing, or selling "consumer health data" from Washington residents, regardless of the business's size or revenue.
Key differences from Texas. Washington defines "consumer health data" more broadly than HIPAA, encompassing any information linked to a consumer and used to identify past, present, or future physical or mental health status, including data derived from non-health sources that becomes health data when combined with other information. Washington's law includes a private right of action (rare among state privacy laws) and applies to any entity collecting health data, not just HIPAA-covered entities. For businesses that collect health-adjacent data (fitness app data, wellness product purchase history, supplement or medication purchase records, mental health app usage), Washington's law may apply even if no comprehensive state privacy law does.
Compliance Strategy
Comply with California first. The CCPA/CPRA is the most demanding, and satisfying its requirements covers most of what every other state requires. Start with a CCPA-compliant privacy notice, consumer rights request mechanism, and vendor contract framework.
Layer Texas-specific provisions on top. The TDPSA's SBA small business exemption, permanent cure period, and AG-only enforcement are favorable compared to California, but the TDPSA's GPC recognition requirement (effective January 1, 2025) adds an obligation California also shares.
Honor GPC signals universally. At least 12 states now require GPC recognition, and the number is growing. Configuring your website to detect and honor GPC signals as valid opt-out requests satisfies all of them simultaneously.
Obtain opt-in consent for sensitive personal information across all states. Every state privacy law requires opt-in consent for sensitive data, and the categories of sensitive data are substantially similar (racial/ethnic origin, religious beliefs, health data, sexual orientation, biometric data, children's data, precise geolocation). Building opt-in consent into your data collection flow at the point of sensitive data collection satisfies every state's requirement in one step.
Map your vendor contracts against the most prescriptive requirements. California's CCPA Regulations (11 CCR § 7051) impose nine mandatory contract terms for service providers and contractors. A DPA built to California's specifications will satisfy every other state's processor contract requirements.
Monitor enforcement trends. Texas filed its first TDPSA enforcement action in January 2025 (Allstate/Arity geolocation case). The CPPA has secured its largest CCPA penalty ($1.35 million, September 2025). Colorado, Connecticut, Maryland, Minnesota, Oregon, and New Jersey are expected to be among the most active enforcement states through 2026. Cure periods have expired in Colorado, Connecticut, Delaware, Montana, New Hampshire, and Minnesota, giving those states' AGs immediate enforcement authority.
Practical Recommendations
Don't build state-by-state compliance programs. Build one program to the California standard, add Texas-specific provisions, and confirm that your program satisfies each additional state law through a structured comparison. A single, well-designed program costs less to maintain than 20 separate state-by-state efforts.
Review your applicability annually. As your business grows and your customer base expands into new states, new privacy laws become applicable. A business that processed data from 30,000 Delaware residents last year and 40,000 this year just crossed Delaware's threshold.
Track legislative developments. Five to seven new state privacy laws are expected to be enacted or take effect each year through 2028. Oklahoma signed its Consumer Privacy Law (SB 546) in March 2026. The compliance burden is increasing, not stabilizing, and building a flexible program now costs less than retrofitting one later.
Related practice area: Privacy Law
Need advice tied to your business issue?
Share the issue. Get direct attorney review. Receive a concrete recommendation.
Submit an Inquiry