The U.S. privacy regulatory landscape has reached a tipping point. By early 2026, comprehensive consumer privacy laws are active or taking effect in 20+ states — California (CCPA/CPRA), Texas (TDPSA), Oregon, Colorado, Florida, Maryland, and a growing list tracked by the IAPP's U.S. State Privacy Legislation Tracker. Each one introduces nuanced requirements for consumer opt-out, sensitive-data processing, data minimization, and vendor diligence — and unlike GDPR's unified framework, the U.S. approach creates a genuine patchwork where the definition of "sensitive data," the accepted opt-out mechanisms, and the obligations placed on processors vary state by state. GSDSI's Privacy Center and Do Not Sell controls are built to honor those mechanisms automatically.
Key Takeaways
20+ states now have comprehensive privacy laws, and the list grows every quarter. Fragment-per-state compliance logic is a losing strategy; the winning baseline is most-restrictive-standard.
Global Privacy Control (GPC) is now a mandatory honored opt-out in multiple states. See the California AG's enforcement posture on GPC for what honoring looks like.
Sensitive-data categories now explicitly include precise geolocation, health-adjacent inferences, and financial data in most state statutes — DPIAs are expected for any processing activity that touches these.
Vendor diligence obligations have shifted from a nice-to-have to a statutory requirement. Buyers ask for the provenance trail, the consent architecture, and the DPIA — not just the data file.
Why the Patchwork Is the Problem
Unlike GDPR, the U.S. approach creates a patchwork of definitions, rights, and thresholds. California's CPRA includes "precise geolocation" in sensitive data; Colorado's CPA carries a similar treatment; Washington's My Health My Data Act sweeps in location adjacent to health facilities. The FTC's guidance on biometric and sensitive data anchors the federal baseline for what counts as sensitive, and state statutes extend it. Building per-state compliance logic into a data pipeline is a treadmill — the state count goes up, the logic goes up, and the audit surface compounds. The durable architecture is to adopt the most restrictive standard across categories and apply it uniformly.
Global Privacy Control Is Now Mandatory Honoring
Multiple states — California, Colorado, Connecticut among them — now require businesses to honor the Global Privacy Control signal as a valid opt-out mechanism. This is a technical obligation, not just a policy one: the browser-emitted header needs to be detected and mapped to the user's opt-out state in real time. For buyers of third-party data, this translates into a procurement question: does the provider's collection stack honor GPC upstream, and can they prove it? GSDSI's collection partners are contractually bound to honor GPC, and the Do Not Sell flow on this site is a functional reference implementation. For the downstream buyer context, see what privacy-safe actually means when buying location data.
Sensitive Data and When DPIAs Are Required
Most 2026 state statutes explicitly list categories that trigger Data Protection Impact Assessment (DPIA) obligations. Location data at precise coordinates, inferences about health or sexual orientation, financial data, and data relating to children are the most common. The DPIA is a documented artifact: processing purpose, data categories, retention, risk analysis, mitigating controls. For a platform buyer, this means every processing activity that touches these categories needs a written DPIA that procurement and legal can inspect. Practical framework:
Inventory every data pipeline and tag which sensitive categories (if any) flow through it.
For each tagged pipeline, author a DPIA covering purpose, legal basis, retention, minimization, and third-party transfers.
Wire the DPIA into procurement — legal approval blocks pipeline activation until the DPIA is signed.
Re-review DPIAs annually or when the processing purpose changes materially.
Vendor Diligence Is Now Statutory, Not Optional
State statutes (CPRA, VCDPA, CPA, CTDPA, TDPSA) now place specific obligations on controllers vis-à-vis their processors — contractual requirements, subprocessor flow-downs, cooperation with DSARs, and documented security/privacy programs. Procurement teams that used to accept a marketing datasheet now ask for the full provenance trail — source, consent architecture, collection methodology, and a named DPO contact. Vendors that make this frictionless (datasheet + DPIA + consent-architecture diagram + GPC honoring proof in one package) close deals faster. GSDSI's diligence pack for data buyers is structured around this requirement set; see 5 Questions to Ask Before Licensing a MAID Feed for the buyer-side counterpart.
The Durable Compliance Architecture
Three moves create an architecture that scales as the state count grows:
Adopt the most restrictive standard across CPRA + TDPSA + WA MHMDA as the baseline, applied uniformly nationwide. Don't build per-state branching.
Implement functional GPC honoring at collection, not just at display — opt-out signals must flow through to downstream data joining, not just get banner-dismissed.
Instrument every pipeline with a DPIA + provenance trail as artifacts that buyers, regulators, and internal auditors can inspect. Treat documentation as a first-class deliverable alongside the data file itself.
The data providers that maintain market position through this regulatory evolution will be the ones that make compliance frictionless for their buyers — supplying not just data but the documentation, provenance, and DPIAs that procurement and legal need to approve the partnership.
Frequently Asked Questions
How many states have comprehensive privacy laws in 2026?
20+ and rising. The IAPP tracker is the canonical reference; new laws are enacted every legislative session. The practical implication is that fragmented per-state compliance logic is architectural debt from day one.
What's the most efficient way to stay compliant across all states?
Adopt the most restrictive standard (currently CPRA + TDPSA + WA MHMDA for the categories they uniquely cover) as the baseline and apply it uniformly. Building per-state branching into data pipelines is a treadmill — every new statute adds more branches and more audit surface. Uniform most-restrictive also simplifies DPIA authoring.
Is honoring Global Privacy Control (GPC) mandatory?
Yes in multiple states. California, Colorado, Connecticut among others treat the GPC signal as a valid opt-out mechanism that businesses must detect and honor. The California AG's CCPA enforcement page and the GPC spec are the authoritative references. Implementation is a technical requirement, not just a policy statement.
What documentation do modern data buyers expect from a data vendor?
Provenance trail (source + collection methodology), consent architecture diagram, GPC honoring proof, DPIA template, named DPO contact, and documented opt-out flow-down. Marketing datasheets are no longer sufficient at procurement. GSDSI's Privacy Center documents the full stack.