State Privacy Laws Are Multiplying: Operators Must Adapt Now
TL;DR: The U.S. now has 18 active state data privacy laws, with four more taking effect by 2028. Each law sets different thresholds, consent rules, and opt-out requirements โ and non-compliance penalties run up to $10,000 per violation. High-spend operators in regulated verticals need to audit their data pipelines before enforcement catches up.
The Patchwork Is Real and Getting Worse
There is no federal data privacy law. Congress has failed to pass one despite years of bipartisan pressure. What exists instead is a growing stack of state-level statutes โ 18 currently in force, four more scheduled through 2028, and states like Louisiana and Vermont recently added to the list. California went first in 2020. Indiana, Kentucky, and Rhode Island went live January 1, 2026. Oklahoma, Alabama, and Louisiana take effect in 2027. Vermont follows in 2028.
Each law has its own thresholds. California hits businesses with $25 million+ in annual revenue or those processing data on 100,000+ consumers. Maryland bans the sale of personal data outright and limits collection to what is “strictly necessary.” Connecticut just dropped its processing threshold from 100,000 to 35,000 consumers and added disclosure requirements for companies that use personal data to train large language models. These are not copy-paste statutes. The differences in scope, consent mechanisms, and enforcement powers are substantial โ and they compound fast when you operate across multiple states.
Montana’s attorney general no longer needs to offer a cure period before bringing an enforcement action. Rhode Island and Montana both carry penalties up to $7,500 to $10,000 per violation. Texas and Nebraska apply to any business that isn’t classified as a small business under the SBA definition, regardless of consumer volume. If your lead gen or media buying operation touches consumers in multiple states, you are almost certainly operating under multiple overlapping legal frameworks right now.
What the Laws Actually Require
Despite their differences, the state laws share a common floor of consumer rights: the right to access, correct, delete, and obtain a portable copy of personal data. Opt-out mechanisms for targeted advertising and data sales are universal. Privacy notices are required everywhere.
Beyond that floor, the requirements diverge in ways that matter operationally. Oregon requires businesses to provide a list of specific third parties to whom personal data has been disclosed. Minnesota carries the same requirement. Connecticut now requires disclosure of whether personal data is used to train LLMs โ a clause that will catch a lot of martech stacks off guard. Vermont’s forthcoming law (effective 2028) goes further, requiring explicit affirmative opt-in consent before processing sensitive data and prohibiting geofencing within 1,850 feet of healthcare or reproductive health facilities.
Sensitive data definitions have also expanded. Virginia’s updated law prohibits collection of reproductive or sexual health information without consent โ covering everything from health diagnoses and medication purchases to algorithmically inferred reproductive status. Montana and Connecticut have added heightened protections for minors under 18, including outright bans on targeted advertising to minors that cannot be circumvented by parental consent. These aren’t edge cases for operators running performance campaigns that reach broad consumer audiences.
California’s DROP System Changes the Data Broker Equation
California’s Delete Request and Opt-Out Platform (DROP) launched January 1, 2026. It lets California residents submit a single deletion request that hits more than 500 registered data brokers simultaneously. Data brokers must start processing those requests by August 1, 2026.
This matters to performance operators because a meaningful share of third-party audience lists, suppression files, and retargeting segments are sourced from data brokers. If California residents start flushing their records at scale, the coverage and match rates on purchased lists will degrade. Operators relying heavily on third-party data for prospecting in California should start stress-testing their first-party data infrastructure now, not after August.
California’s DROP system is the first of its kind, but it will not be the last. Other states will watch adoption rates and enforcement outcomes before deciding whether to build similar platforms. The trajectory is toward more centralized consumer control over personal data, not less.
What This Means for High-CAC Verticals
Regulated verticals โ forex, iGaming, crypto, and legal โ already operate under compliance constraints that most DTC advertisers don’t face. State privacy laws add another layer. The risks are concentrated in three areas.
First, lead qualification. AI-driven lead qualification systems that ingest behavioral and demographic signals need to be mapped against each state’s definition of “sensitive data” and “profiling.” Connecticut’s updated law explicitly gives consumers the right to contest profiling decisions that produce legally significant effects. If you’re using algorithmic scoring to prioritize or exclude leads, that process is now regulatorily visible in at least one major state.
Second, targeting precision. Audience precision targeting built on third-party data or behavioral inference is the activity most uniformly restricted across all 18 laws. Opt-out requirements for targeted advertising exist in every state statute. Some โ Maryland, Connecticut, Montana โ carry outright prohibitions in certain contexts. Operators running paid media campaigns at scale need to verify that their DSP and ad platform setups honor universal opt-out signals, not just platform-specific consent flows.
Third, vertical-specific exposure. iGaming operators targeting consumers across multiple states face the highest surface area because gambling is already age-gated and geographically restricted โ adding state privacy compliance to that stack requires dedicated MOps resources, not just a checkbox in the privacy policy. Legal marketing operations running mass tort or PI campaigns need to be especially careful with health-related data; Virginia’s prohibition on processing reproductive and sexual health information without consent could intersect with intake forms that ask about medical history or treatment status.
Forex and crypto operators collecting financial account data will need to watch Vermont’s forthcoming law closely โ it lists financial account credentials as sensitive data requiring explicit opt-in consent before processing, which has direct implications for KYC and account verification workflows that currently run on implicit consent assumptions.
Upcoming Laws Operators Should Track Now
Four more state laws are scheduled to take effect before the end of 2028. Oklahoma (January 1, 2027) and Alabama (March 30, 2027) both apply to businesses processing data on 25,000+ consumers, with standard access, deletion, and opt-out requirements. Louisiana (January 1, 2027) applies to businesses with $25 million+ annual revenue or those processing 75,000+ consumer records.
Vermont’s law (January 1, 2028) is the most aggressive of the incoming statutes. It requires explicit opt-in for sensitive data, mandates LLM training disclosures, bans geofencing near health facilities, and extends consumer health data protections to any business operating in Vermont regardless of volume thresholds. Operators who are doing any kind of health-adjacent targeting โ including wellness, reproductive health, or mental health verticals โ should treat Vermont as a forcing function to clean up their data handling practices before 2028.
The Operational Response: Audit Before You’re Forced To
State-level privacy compliance isn’t a legal team problem โ it’s a data infrastructure problem that legal teams discover after the fact. The practical steps are straightforward, but they require prioritization.
Map your data flows by state. Know which states your consumers reside in, which laws apply to your processing volume thresholds, and which specific requirements those laws carry. Most operators discover they are subject to more state laws than they initially estimated once they actually run the numbers on consumer geography.
Audit your third-party data sources. Purchased lists, data broker segments, and third-party behavioral data are the highest-risk inputs in any performance campaign stack. A full marketing data audit should include a vendor-by-vendor review of data provenance, consent chain, and compatibility with your state compliance obligations.
Update your privacy notices and opt-out mechanisms. Generic privacy policies that reference “California law” are not sufficient coverage for Maryland, Connecticut, or Montana. Each state has specific disclosure requirements. Connecticut now requires LLM training disclosures. Oregon and Minnesota require disclosure of specific third parties. If your privacy notice was last updated before 2024, it is almost certainly out of compliance with multiple active laws.
For operators in forex lead generation, crypto acquisition, and CDL recruitment campaigns, the compliance question is the same as the performance question: garbage data quality in, wasted spend out. Privacy law compliance and first-party data discipline point in the same direction.
Originally reported by MarTech, July 2026.
Get a playbook for your vertical
Forex lead gen
FTD acquisition, depositor funnels, regulated broker campaigns across Tier 1 & Tier 2 GEOs.
Explore → CryptoCrypto & Web3
Token launches, exchange user acquisition, DeFi protocol growth. Compliant campaigns only.
Explore → LegalLaw firm marketing
Mass tort, personal injury, immigration. High-intent lead gen for US law firms with $50K+/mo budgets.
Explore →