Privacy Policy Requirements by State in 2026

Across many modern state privacy laws, the baseline notice pattern is becoming familiar. A covered business is expected to tell consumers what categories of personal data it processes, why it processes that data, what categories of third parties receive it, what rights consumers have, how requests can be submitted, and how an appeal works if a request is denied.

That common baseline helps, but several states reach past it. Some add separate website-operator disclosures, while others require universal opt-out treatment, more specific sale language, plain-language accessibility features, or even a separate privacy policy for certain categories of data.

California is the state that changes privacy policy drafting the most for many online businesses. At the website-operator level, CalOPPA requires operators of commercial websites and online services that collect personally identifiable information from California consumers to conspicuously post a privacy policy. California also requires disclosure of how your site responds to Do Not Track signals or similar mechanisms.

For businesses covered by the CCPA as amended by the CPRA, your privacy policy and the Notice at Collection work together. The California Attorney General explains that the Notice at Collection must be provided at or before collection and must list the categories of personal information collected and the purposes for which those categories are used. Current CPPA rules also require the notice to state whether each category is sold or shared, how long each category is retained or the criteria used to set retention, and to link to the relevant privacy policy section.

If your business sells or shares personal information, California requires specific footer and opt-out language. The rules call for a Notice of Right to Opt-out of Sale or Sharing and, in many cases, a Do Not Sell or Share My Personal Information link or a compliant alternative link. If your business uses or discloses sensitive personal information outside the limited statutory purposes, California can also require a separate right-to-limit notice.

Colorado follows the broader comprehensive-law pattern, but it adds a policy-level twist that catches online businesses. The Colorado Attorney General says covered businesses must provide a privacy notice that explains the types of personal data processed, the purpose for processing, the type of data shared with third parties, the categories of third parties, and how consumers can exercise their rights.

Colorado also requires clear and conspicuous disclosure if personal data is sold or processed for targeted advertising and says consumers must be able to opt out through the privacy notice and through a readily accessible location outside the privacy notice. Beginning July 1, 2024, covered businesses also have to honor recognized universal opt-out mechanisms such as Global Privacy Control.

Colorado reaches past the text of your privacy policy. It can also change your site footer layout and the way your business records universal opt-out handling in the policy itself.

Connecticut is important for two reasons. First, its privacy notice requirements follow the common comprehensive-law model and require notice about the types of personal data processed, the purposes for processing, whether and why the controller shares personal data with third parties, and how consumers may exercise their rights.

Second, Connecticut has been unusually active on enforcement and policy development. In February 2026, the Connecticut Attorney General released an updated report stating that the office's 2025 work included active investigations involving children's and teens' online safety, connected vehicles and geolocation data, gaming platforms, chatbots, and data brokers.

That same report says 2025 amendments to the CTDPA include stronger minors' protections and a new disclosure requirement related to artificial intelligence that requires companies to disclose whether personal data is used to train large language models. If your business targets teens, relies on geolocation, or uses personal data in AI training, Connecticut should be reviewed more carefully than a generic multi-state template allows.

Delaware is one of the clearest examples of why a single generic policy can miss state-specific rules. Delaware's older online privacy law for commercial sites, services, apps, and mobile apps requires privacy policies to disclose the effective date, describe how your site responds to web browser Do Not Track signals, and disclose whether anyone other than the operator may collect personally identifiable information about a user's online activities over time and across different sites, services, and applications.

Delaware's newer Personal Data Privacy Act adds a second layer for covered businesses. The Delaware Department of Justice says privacy policies must tell residents what personal information is collected, why it's collected, who it's shared with, whether it's sold and how to opt out, and what rights residents have and how to exercise them.

Delaware is also unusual in how directly it addresses readability. The Delaware Department of Justice says notices must be easy to understand, free from legal and technical jargon, readable on a smaller screen, available in the languages in which your business provides other information such as contracts or sales announcements, and reasonably accessible to consumers with disabilities.

Nevada is easy to miss because its law is narrower than California's, but it creates website-operator disclosure duties that can apply even when a business doesn't meet broader comprehensive-law thresholds elsewhere. Nevada law requires an operator to make available a notice that identifies the categories of covered information collected and the categories of third parties with whom that information may be shared.

Nevada's notice also has to describe any process for consumers to review and request changes to covered information, describe how consumers are notified of material changes to the notice, disclose whether a third party may collect covered information about a consumer's online activities over time and across different sites or services, and state the effective date of the notice.

Nevada also stands out because the Attorney General has emphasized that websites must include a link where Nevada residents can submit a request that their private information not be sold. For many businesses, that means Nevada affects both your privacy policy text and the functional request pathway.

Oregon looks similar to other comprehensive-law states at first glance, but the statute adds a requirement that affects both policy drafting and internal data mapping. Oregon gives consumers the right to obtain, at the controller's option, a list of specific third parties to which the controller has disclosed the consumer's personal data or any personal data.

That is more specific than the category-level disclosure many privacy teams are used to. If the Oregon law applies, your business should think beyond broad privacy policy categories, because the data map has to support a more detailed downstream disclosure when a consumer asks for it.

For drafting purposes, Oregon shows that the privacy policy is only part of the compliance project. The internal data inventory has to be detailed enough to support the rights the law grants consumers.

Texas follows the standard comprehensive-law pattern in many respects, but its required notice language makes it stand out. The Texas Attorney General says a covered controller's privacy notice must include the categories of personal data processed, the categories of personal data shared with third parties, the categories of third parties, and how consumers can exercise and appeal their rights.

Texas adds a requirement when the company sells sensitive personal data or biometric data. In that situation, the Attorney General says the privacy notice must include the specific disclosures NOTICE: We may sell your sensitive personal data and NOTICE: We may sell your biometric personal data.

Texas also requires companies that sell personal data to third parties or process data for targeted advertising to clearly and conspicuously disclose that fact and explain how a consumer can opt out. For businesses with precise geolocation, biometric data, or advertising-heavy funnels, Texas changes your policy text directly.

Washington appears here because its My Health My Data Act can require a standalone privacy notice separate from your general privacy policy. The Act sets its own placement and content rules, so a longer general policy cannot absorb it.

The Washington Attorney General states that a regulated entity or small business covered by the My Health My Data Act must prominently publish a link to its Consumer Health Data Privacy Policy on its homepage. The link must be separate and distinct, and the health data policy may not contain additional information not required by that Act.

More businesses fall under this than expect to. Washington's guidance explains that inferences about health status drawn from purchase behavior can qualify as consumer health data, so a wellness brand, symptom tracker, fertility product, supplement business, or even a retailer making health-related inferences may need more than a standard ecommerce privacy policy.

Trying to solve all of this with a single broad paragraph about privacy rights is the easiest mistake to make. A stronger approach builds the policy around the states that change the disclosures in concrete ways, then confirms the operational pieces behind the policy support those disclosures.