Twenty States Now Have Privacy Laws on the Books — And Retailers Are Scrambling to Comply

The state-by-state expansion of consumer data privacy law hit a new milestone at the start of 2026, with twenty states now having comprehensive privacy statutes on the books. As the International Association of Privacy Professionals reported, new laws took effect on January 1 in Indiana, Kentucky, and Rhode Island, adding to the growing patchwork that retailers operating across state lines must navigate. For an industry that runs on customer data — from loyalty programs and targeted promotions to personalized recommendations and inventory planning — the compliance burden is becoming a core operational challenge.

California, as usual, is setting the pace. The state's Consumer Privacy Act regulations for automated decision-making technology, risk assessments, and cybersecurity audits became applicable at the start of 2026, as MultiState detailed in its compliance tracker. Retailers using algorithms to set dynamic pricing, target advertising, or make credit decisions now face specific obligations around transparency and consumer opt-out rights. Additionally, California expanded its data broker registration law through SB 361, requiring data brokers to disclose more information about collected personal data and process opt-out requests within 45 days, as Gunster noted in its legal analysis.

The universal opt-out mechanism requirement is another area where retailers need to pay attention. As Ketch reported, Connecticut and Oregon joined a growing list of states — including California, Colorado, Delaware, Maryland, Minnesota, Montana, New Jersey, New Hampshire, and Texas — that now require websites to recognize universal opt-out signals. For retailers with e-commerce operations, this means their platforms must be technically capable of detecting and honoring browser-level privacy preferences, a requirement that touches everything from marketing analytics to ad tech partnerships.

The coverage thresholds in the new state laws are calibrated to capture most retailers of meaningful size. LP Legal noted that Kentucky and Indiana's laws apply to entities that control or process personal data of 100,000 or more consumers, or that derive 50 percent or more of revenue from selling the data of more than 25,000 consumers. While the largest national chains have dedicated privacy teams to manage compliance, mid-market retailers and regional chains often lack the resources to track and implement requirements that vary significantly from state to state.

Enforcement is moving from theoretical to practical. As Smith Law observed, 2026 marks the year that state enforcement takes center stage, with attorneys general in multiple states signaling increased investigation and penalty activity. Retail and e-commerce are explicitly identified as high-risk industries in several state enforcement frameworks, according to the Troutman Pepper privacy tracker. The absence of a federal privacy standard means that a retailer operating in all fifty states could theoretically face twenty different sets of rules — a reality that industry groups continue to cite as an argument for comprehensive federal legislation, though prospects for that remain uncertain.