By 2026, roughly twenty U.S. states have passed comprehensive consumer privacy laws — and your small business website's compliance obligations depend on a patchwork of state thresholds, sectoral laws, and consumer rights that vary meaningfully across jurisdictions. The good news for most small businesses: you probably fall below the applicability thresholds of most comprehensive state laws. The bad news: enough other layers apply that "we're too small to worry" isn't accurate.

I'm David Campbell, founder of Nerd Stack. State privacy is the area where small businesses are most likely to be both over- and under-confident — either treating it as someone else's problem entirely, or trying to manually comply with every state law that exists. This guide is the plain-English landscape: which laws apply at what size, what the common rights are, and what's actually worth doing whether or not a particular law technically applies. This is an overview for business owners, not legal advice. It pairs with our privacy policy guide and cookie banner guide.

The 2026 State Privacy Law Landscape

As of 2026, the states with comprehensive consumer privacy laws (broadly modeled on California's CCPA/CPRA or Virginia's CDPA) include — in roughly the order they took effect — California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Texas, Oregon, Montana, Delaware, New Hampshire, New Jersey, Kentucky, Maryland, Minnesota, Nebraska, and Rhode Island. Several others have laws passed but not yet effective.

The laws share a common shape:

  • Consumer rights. Access to data, deletion, correction, opt-out of sale or sharing, opt-out of targeted advertising, and — in most — data portability.
  • Business obligations. A privacy policy disclosing data collection and use, mechanisms for honoring consumer requests, vendor management for processors, and data-minimization principles.
  • Applicability thresholds. Most laws apply only to businesses meeting size or data-volume thresholds — typically annual revenue around $25 million, processing data on 100,000+ consumers, or deriving 25%+ of revenue from selling personal information.

That third bullet is the most consequential for small businesses, and the most often misunderstood.

Why Most Small Businesses Fall Below the Thresholds

Most comprehensive state privacy laws are designed to focus on businesses that process meaningful volumes of personal data. The typical thresholds:

  • $25 million in annual revenue (California), or
  • Processing personal data of 100,000 or more consumers per year (or some variation), or
  • 50% or 25% of annual revenue from selling personal information (definitions vary).

A small business with under a million in revenue, a few thousand customers, and no business model based on data brokerage will fall below the applicability threshold of nearly every comprehensive state law. That doesn't mean privacy doesn't apply — it means the comprehensive law doesn't, and a different layer of obligations does.

What Applies Even Below the Thresholds

Even if you're below the thresholds, a few categories of obligation still apply:

  • CalOPPA. California's older privacy-policy law applies to any operator of a commercial website that collects personal information from California residents. It has no revenue threshold. It requires a privacy policy with specific disclosures and a "Do Not Track" position.
  • COPPA. If your site is directed at children under 13 or knowingly collects data from them, COPPA applies regardless of business size.
  • Sectoral laws. GLBA (financial), HIPAA (health), and FERPA (education) apply to businesses in those sectors regardless of size.
  • Third-party tool requirements. Google Analytics, ad platforms, payment processors, and email marketing tools all contractually require their customers to maintain privacy policies — independent of any government regulation.
  • Tort and contract risk. Even where state privacy law doesn't apply, a misleading privacy disclosure can support a consumer-protection or unfair-business-practice claim.

The practical answer: small businesses below the comprehensive-law thresholds still need a privacy policy, still need to honor reasonable consumer privacy requests, and still need their site's actual data practices to match the disclosures they make.

The Rights Your Visitors May Already Have

Regardless of which specific law applies to your business, the rights that consumers in privacy-law states generally have include:

  • Right to know. What data you've collected about them and how it's been used.
  • Right to delete. The ability to request that you delete personal data.
  • Right to correct. The ability to fix inaccurate data.
  • Right to opt out. Of sale or sharing of personal data, and increasingly of targeted advertising.
  • Right to portability. A copy of their data in a usable format.
  • Right to non-discrimination. Exercising any of the above can't be used against them in pricing or service.

If you receive a request that looks like one of these — even from a state whose law doesn't technically apply to you — the right move is usually to honor it. The cost of doing so is small, and the goodwill is real.

What's Actually Worth Doing

For a small business below the comprehensive-law thresholds, a practical privacy posture in 2026 includes:

  1. A privacy policy that matches your actual practices — covering data collection, use, sharing, retention, and contact. See our privacy policy guide.
  2. A monitored privacy contact email visible in the policy and footer, so consumer requests reach someone.
  3. A "Do Not Sell or Share" mechanism for California (and increasingly other states), even if you don't believe you "sell" data — the legal definition is broad enough to often include using ad pixels.
  4. Cookie consent if you use analytics or ad tracking — see our cookie banner guide.
  5. Vendor management. Ensure your third-party tools (analytics, CRM, payment, marketing) have terms appropriate to your use, and that you understand what data leaves your control.
  6. A practical request-response process. If a consumer asks to access, delete, or correct their data, you should be able to do it within a reasonable timeframe.

None of this requires being a privacy specialist. Most of it is standard operational hygiene that holds up across jurisdictions.

The Trend Worth Watching

State privacy laws have been added at a pace of three to five new states per year since 2023. By the end of 2026, at least half of U.S. states are expected to have comprehensive privacy laws. The trend is toward stricter rules, broader consumer rights, and lower applicability thresholds in some states. Building a privacy posture that's reasonable across jurisdictions — rather than trying to comply with each state individually — is the practical 2026 approach.

Frequently Asked Questions

Which states have privacy laws that apply to my small business?

By 2026, roughly twenty U.S. states have comprehensive consumer privacy laws. Most apply only to businesses above specific revenue or data-volume thresholds — typically $25 million in revenue or 100,000+ consumers' data. Most small businesses fall below the thresholds, but a separate layer of obligations (CalOPPA, COPPA, sectoral laws, tool requirements) still applies.

If I'm below the thresholds, do I still need a privacy policy?

Yes. California's CalOPPA, federal sectoral laws (COPPA, GLBA, HIPAA depending on industry), and your third-party tools' terms (Google, Meta, Stripe, etc.) all require a privacy policy independently of comprehensive state law. The threshold question affects which advanced obligations attach; it doesn't remove the baseline.

Do state privacy laws apply if I'm not based in that state?

Generally yes. Most state privacy laws apply to businesses that intentionally serve consumers in the state, not just businesses headquartered there. If you have California customers or website visitors, CCPA/CPRA may apply regardless of where your business is located.

What's the practical risk of ignoring state privacy laws?

Enforcement varies. State attorneys general can bring actions; California also allows limited private rights of action for data breaches. The realistic risk for most small businesses isn't a massive fine — it's the operational disruption of being asked to remediate, the loss of tool access if a tool's terms are violated, and reputational exposure from a public complaint.

Should I honor privacy requests from states whose laws don't apply to me?

Usually yes. The cost of honoring a reasonable access, deletion, or correction request is small, and refusing creates more friction than it solves. A simple operational policy of honoring reasonable requests regardless of jurisdiction is a defensible posture.

Bottom Line

State privacy law in 2026 is a patchwork — about twenty laws with overlapping but distinct obligations — and most small businesses fall below the formal thresholds. That's not an exemption; it's a reason to build a sensible, jurisdiction-neutral privacy posture rather than try to comply with each state individually. A real privacy policy, a monitored privacy contact, cookie consent where appropriate, and a practical response process cover the realistic risk for most small businesses far better than panic compliance.

If you'd like an honest look at where your site stands across this patchwork, book a free call. Privacy posture is built into every site we build at Nerd Stack, and we coordinate with your counsel for the legal text.

Sources: IAPP — US State Privacy Legislation Tracker; California Attorney General — CCPA; FTC — Children's Online Privacy Protection Rule.