The federal privacy law that’s been “two years away” for the last decade is still two years away. In its absence, the state-level patchwork keeps growing. By mid-2026, twenty US states have a comprehensive privacy law on the books. Three of them, California, Texas, and Florida, drive most of the compliance complexity for companies operating nationally. Here’s the practical comparison.
California (CCPA / CPRA), the prototype
California’s law is the broadest and the oldest. It applies to companies doing business in California that meet any of three thresholds: $25 million in annual revenue, the personal data of 100,000+ California residents/households, or 50% of revenue from selling/sharing personal information.
Required: rights of access, deletion, correction, portability, opt-out of sale and sharing, opt-out of automated decision-making with significant impact, sensitive-data limitation, and a “Do Not Sell or Share My Personal Information” link in the website footer. The CPPA (California Privacy Protection Agency) actively enforces, six- and seven-figure settlements landed throughout 2025.
Texas (TDPSA), broader applicability, narrower rights
The Texas Data Privacy and Security Act applies to any company doing business in Texas that processes or sells personal data, with no revenue or volume threshold for most provisions, except a small-business carve-out for SBA-defined small businesses (under ~$6 million in revenue depending on industry).
Required: rights of access, deletion, correction, portability, opt-out of sale and targeted advertising, opt-out of profiling that produces legal effects. The big practical difference from California is the small-business exemption, many SaaS startups that fall under California’s $25M threshold can ignore Texas too. The big practical similarity is the rights themselves: a CCPA-compliant rights process satisfies most of Texas with minor renaming.
Florida (FDBR), the targeted-advertising hammer
Florida’s Digital Bill of Rights only applies to “controllers” with $1 billion or more in global gross revenue and at least one of: 50% of revenue from digital ads, operating an app store with 250,000+ apps, operating a smart speaker. So the FDBR is mostly a Big Tech law with some unusual targeting.
Where it does apply, the rights are the standard set (access, delete, correct, opt-out) plus specific protections for children’s data and a particularly aggressive opt-out of “targeted advertising” that some larger platforms have struggled to operationalise. If your company is under $1B, Florida is mostly a forward-looking concern.
The compliance shortcut
If you build to California, you’re 90% of the way to Texas, and most of the way to the other state laws including Colorado, Connecticut, Virginia, Utah, Oregon, Montana, Iowa, Indiana, Tennessee, and Delaware. The deltas are real but small: terminology differences (“controller” vs “business”), specific notice requirements, and slight differences in opt-out scope.
Universal opt-out signals (Global Privacy Control) are now legally required to be honoured in California, Colorado, and Connecticut, and recommended elsewhere. If your privacy stack respects GPC, that’s one signal that satisfies multiple regimes.
Three things to do this quarter
Map your data inventory by state of residence. If you can’t filter your user base by state, you can’t honour state-specific rights properly. The data is usually there; the labelling rarely is.
Operationalise GPC. Make your site honour Global Privacy Control as an opt-out signal, log it, and confirm in the privacy policy. This is the single highest-leverage change for compliance across multiple states.
Run a privacy-rights tabletop. When a Texas resident submits a deletion request and a Florida resident submits an access request the same day, can your team meet both timelines? If the answer is “we’d figure it out,” that’s the gap.