US state privacy laws beyond CCPA: TDPSA, VCDPA, and what indie SaaS founders need to know
There is no federal US privacy law. Instead, there are 19 state laws as of 2026, each with its own thresholds, definitions, and consumer rights. Most indie SaaS founders ignore everything outside California and Texas — and most are missing real obligations. Here's the actual map of who you need to comply with, in plain English.
The map as of May 2026
19 US states have comprehensive consumer-privacy laws in force or about to enter into force. The list as of mid-2026:
- California — CCPA / CPRA (in force, the original)
- Virginia — VCDPA (2023)
- Colorado — CPA (2023)
- Connecticut — CTDPA (2023)
- Utah — UCPA (2023)
- Iowa — ICDPA (2025)
- Indiana — INCDPA (2026)
- Tennessee — TIPA (2025)
- Montana — MCDPA (2024)
- Texas — TDPSA (2024)
- Oregon — OCPA (2024)
- Delaware — DPDPA (2025)
- New Hampshire — NHPA (2025)
- New Jersey — NJDPA (2025)
- Minnesota — MCDPA (2025)
- Maryland — MODPA (2025)
- Rhode Island — RIPA (2026)
- Nebraska — NDPA (2025)
- Kentucky — KCDPA (2026)
Do any of these apply to you?
Each law has its own applicability thresholds. The thresholds boil down to: (a) you do business in the state OR target residents there, AND (b) you process data of at least N residents per year. The N varies. Practical thresholds for indies:
If your SaaS has fewer than 25,000 US users and isn't selling data, most state laws don't apply yet. If you have between 25K and 100K, you trigger ~half the state laws. Above 100K, every state law applies to you and you need a unified compliance program.
What you must do if a law applies
Every state law gives consumers the same core set of rights, with minor variations. If you handle even one state, building a workflow that handles all of them is barely more work.
- Right to know — provide a copy of personal data on request. Implement a /privacy/data-request endpoint or email channel.
- Right to delete — delete personal data on request (with limited exceptions like billing records).
- Right to correct — let users fix inaccurate data.
- Right to portability — provide a machine-readable export.
- Right to opt out of sale or targeted advertising — show a 'Do Not Sell / Share' link on every page (most states require this prominently).
- Right to opt out of profiling for significant decisions — covers algorithmic decisioning.
Colorado, Connecticut, Texas, and New Hampshire all require honoring Global Privacy Control (GPC) signals — a browser-level Do Not Sell flag. Implementing GPC is one of the cheapest compliance wins; it's a 10-line JavaScript check that sets the user's opt-out preference automatically.
What you must publish
- Privacy policy listing categories of data collected, purposes, third parties, retention. Every state requires this; California requires the most detail.
- Children's privacy section if you process data of users under 16 (some states) or 13 (California, federally under COPPA).
- Sale / share / targeted-advertising disclosure if you do any of those activities, with the opt-out link prominently displayed.
- Contact information for data subject requests — typically a privacy@ email or a form.
- Notice at collection — at the moment you collect data, a short notice describing what you're collecting and why.
Texas TDPSA — what's different
Texas Data Privacy and Security Act took effect July 2024. Two things make it notable:
- Lower applicability threshold than most states — covers businesses 'that produce a product or service consumed by Texas residents.' No revenue or user-count floor. This is the broadest applicability test in the US.
- Sensitive-data consent requirement — racial, religious, health, sexual-orientation, biometric, citizenship, precise geolocation, and child data require opt-in consent before processing, not opt-out. This is closer to GDPR than to other US states.
Practical effect: if you have any Texas users and you process any sensitive data, you need explicit opt-in. Most indie SaaS does not — but anyone in health, wellness, dating, or family-related products does.
California CPRA — what's different (and important)
California is the oldest and strictest. Two specific things you can't ignore:
- Private right of action for data breaches — California is the only state where consumers can directly sue for breaches involving statutory damages ($100–$750 per consumer per incident). For a 10K-user breach, that's $1M–$7.5M minimum exposure.
- Sensitive personal information separate category — CA defines 'sensitive PI' broadly (precise geolocation, racial origin, religion, mail/text contents, biometric, health, financial, account credentials, sex life). Sensitive PI has separate notice and opt-out requirements ('Limit the Use of My Sensitive Personal Information').
The unified compliance program (90 minutes of work)
If you build for the strictest state's requirements, you cover all 19. The strictest baseline:
- Publish one privacy policy that meets California's CPRA disclosure requirements (the most detailed). Tools like Iubenda and Termly generate compliant policies.
- Implement universal data-subject requests at one address (privacy@yourdomain). Honor any of the 19 state-residents' requests from this one channel.
- Honor GPC signals globally (treat it as opt-out for everyone, regardless of state).
- Add 'Do Not Sell or Share My Personal Information' link in your footer.
- If you process any data of children under 13, comply with federal COPPA — this is separate from state laws and has higher penalties.
What you can ignore (for now)
- States with very high thresholds (Utah 100K + $25M revenue) — most indies don't meet them.
- Federal privacy law — the ADPPA died in committee multiple times; nothing imminent.
- Industry-specific carve-outs (HIPAA-covered, GLBA-covered) — unless you're in those industries, irrelevant.
Comply Code scans your live site for the disclosure patterns these laws require — privacy policy presence, 'Do Not Sell' link, data-request channel, COPPA flags if children's content is detected. Free, no signup.
Common questions.
I have 5,000 US users. Do any of these laws apply to me?
Probably not yet — most thresholds start at 25K-100K users. But Texas's TDPSA has no user-count floor; if you have any Texas resident as a user and you sell anything, it applies. The cheap insurance: build a unified privacy program now while it's small, so you don't have to retrofit at scale.
Do I need separate privacy policies for each state?
No — one comprehensive policy meeting California's requirements satisfies them all. Add a section noting that residents of specific states have specific rights, and provide one universal data-request channel. The complexity is in the operational workflows, not the documentation.
What does 'sale of personal information' even mean?
Surprisingly broad. Most laws define 'sale' as exchanging personal data for ANY consideration — not just money. So if you share data with an ad partner in exchange for analytics, that counts as a sale in most states. This is why so many sites suddenly added 'Do Not Sell' links — CCPA's definition surprised people. Real safe answer: assume any third-party data sharing might count and offer the opt-out.
How fast must I respond to a consumer request?
Most state laws give you 45 days to respond, extendable by 45 more days with notice. California (CCPA) is similar. Texas (TDPSA) is 45 days. Plan operationally for 30 days as the safe internal SLA.
What are the actual fines?
Vary widely. California's CPRA: up to $7,500 per intentional violation, $2,500 per non-intentional. Texas's TDPSA: up to $7,500 per violation. Virginia's VCDPA: $7,500 per violation. Most states cap by violation, not by user — so a single configuration error that affects 10,000 users is potentially $75M of theoretical exposure. In practice, enforcement focuses on bad actors, not honest mistakes — but the headline numbers matter.
Should I use a consent management platform?
For US-only laws, usually not needed at indie scale — the obligations are about disclosure and opt-out workflows, not opt-in. For EU GDPR + US state laws combined, a CMP becomes useful. Cookiebot, OneTrust, Osano all handle the consent layer if you need it.