Privacy Policy Requirements by State in 2026

Across many modern state privacy laws, the baseline notice pattern is becoming familiar. A covered business is expected to tell consumers what categories of personal data it processes, why it processes that data, what categories of third parties receive it, what rights consumers have, how requests can be submitted, and how an appeal works if a request is denied.

That common baseline is useful, but it does not solve everything. Some states require separate website-operator disclosures. Others require universal opt-out treatment, more specific sale language, plain-language accessibility features, or even a separate privacy policy for certain categories of data.

California is the state that changes privacy policy drafting the most for many online businesses. At the website-operator level, CalOPPA requires operators of commercial websites and online services that collect personally identifiable information from California consumers to conspicuously post a privacy policy. California also requires disclosure of how your site responds to Do Not Track signals or similar mechanisms.

For businesses covered by the CCPA as amended by the CPRA, your privacy policy and the Notice at Collection work together. The California Attorney General explains that the Notice at Collection must be provided at or before collection and must list the categories of personal information collected and the purposes for which those categories are used. The current CPPA rules also require the notice to state whether each category is sold or shared, how long each category is retained or the criteria used to set retention, and to link to the relevant privacy policy section.

If your business sells or shares personal information, California also drives footer and opt-out language. The rules require a Notice of Right to Opt-out of Sale or Sharing and, in many cases, a Do Not Sell or Share My Personal Information link or a compliant alternative link. If your business uses or discloses sensitive personal information outside the limited statutory purposes, California can also require a separate right-to-limit notice.

Colorado follows the broader comprehensive-law pattern, but it has a very important policy-level twist for online businesses. The Colorado Attorney General says covered businesses must provide a privacy notice that explains the types of personal data processed, the purpose for processing, the type of data shared with third parties, the categories of third parties, and how consumers can exercise their rights.

Colorado also requires clear and conspicuous disclosure if personal data is sold or processed for targeted advertising and says consumers must be able to opt out through the privacy notice and through a readily accessible location outside the privacy notice. Beginning July 1, 2024, covered businesses also have to honor recognized universal opt-out mechanisms such as Global Privacy Control.

That means Colorado does not just change the text of your privacy policy. It can also change the layout of your site footer and the way your business documents the handling of universal opt-out requests in your policy itself.

Connecticut is important for two reasons. First, its privacy notice requirements follow the common comprehensive-law model and require notice about the types of personal data processed, the purposes for processing, whether and why the controller shares personal data with third parties, and how consumers may exercise their rights.

Second, Connecticut has been unusually active on enforcement and policy development. In February 2026, the Connecticut Attorney General released an updated report stating that the office's 2025 work included active investigations involving children's and teens' online safety, connected vehicles and geolocation data, gaming platforms, chatbots, and data brokers.

That same report says 2025 amendments to the CTDPA include stronger minors' protections and a new disclosure requirement related to artificial intelligence that requires companies to disclose whether personal data is used to train large language models. If your business targets teens, relies on geolocation, or uses personal data in AI training, Connecticut should be reviewed more carefully than a generic multi-state template allows.

Delaware is one of the clearest examples of why a single generic policy can miss state-specific rules. Delaware's older online privacy law for commercial sites, services, apps, and mobile apps requires privacy policies to disclose the effective date, describe how your site responds to web browser Do Not Track signals, and disclose whether anyone other than the operator may collect personally identifiable information about a user's online activities over time and across different sites, services, and applications.

Delaware's newer Personal Data Privacy Act adds a second layer for covered businesses. The Delaware Department of Justice says privacy policies must tell residents what personal information is collected, why it is collected, who it is shared with, whether it is sold and how to opt out, and what rights residents have and how to exercise them.

Delaware is also unusual in how directly it addresses readability. The Delaware Department of Justice says notices must be easy to understand, free from legal and technical jargon, readable on a smaller screen, available in the languages in which your business provides other information such as contracts or sales announcements, and reasonably accessible to consumers with disabilities.

Nevada is easy to miss because its law is narrower than California's, but it creates website-operator disclosure duties that can apply even when a business does not meet broader comprehensive-law thresholds elsewhere. Nevada law requires an operator to make available a notice that identifies the categories of covered information collected and the categories of third parties with whom that information may be shared.

Nevada's notice also has to describe any process for consumers to review and request changes to covered information, describe how consumers are notified of material changes to the notice, disclose whether a third party may collect covered information about a consumer's online activities over time and across different sites or services, and state the effective date of the notice.

Nevada also stands out because the Attorney General has emphasized that websites must include a link where Nevada residents can submit a request that their private information not be sold. For many businesses, that means Nevada affects both your privacy policy text and the functional request pathway.

Oregon looks similar to other comprehensive-law states at first glance, but the statute includes a feature that can affect both policy drafting and internal data mapping. Oregon gives consumers the right to obtain, at the controller's option, a list of specific third parties to which the controller has disclosed the consumer's personal data or any personal data.

That is more specific than the category-level disclosure many privacy teams are used to. If the Oregon law applies, your business should think beyond broad privacy policy categories and make sure its data map can support a more detailed downstream disclosure when a consumer asks for it.

For drafting purposes, Oregon is a reminder that a privacy policy is only part of the compliance project. The internal data inventory has to be detailed enough to support the rights the law gives consumers.

Texas follows the standard comprehensive-law pattern in many respects, but its required notice language makes it stand out. The Texas Attorney General says a covered controller's privacy notice must include the categories of personal data processed, the categories of personal data shared with third parties, the categories of third parties, and how consumers can exercise and appeal their rights.

Texas goes further if the company sells sensitive personal data or biometric data. In that situation, the Attorney General says the privacy notice must include the specific disclosures NOTICE We may sell your sensitive personal data and NOTICE We may sell your biometric data.

Texas also requires companies that sell personal data to third parties or process data for targeted advertising to clearly and conspicuously disclose that fact and explain how a consumer can opt out. For businesses with precise geolocation, biometric data, or advertising-heavy funnels, Texas can change your policy text in a very direct way.

Washington appears here because its My Health My Data Act can require a separate privacy notice rather than a longer version of your general privacy policy.

The Washington Attorney General states that a regulated entity or small business covered by the My Health My Data Act must prominently publish a link to its Consumer Health Data Privacy Policy on its homepage. The link must be separate and distinct, and the health data policy may not contain additional information not required by that Act.

This can matter for more businesses than they expect. Washington's guidance explains that inferences about health status drawn from purchase behavior can qualify as consumer health data. A wellness brand, symptom tracker, fertility product, supplement business, or even a retailer making health-related inferences may need more than a standard ecommerce privacy policy.

The easiest mistake is trying to solve all of this with a single broad paragraph about privacy rights. A stronger approach is to build your policy around the states that change the disclosures in concrete ways, then make sure the operational pieces behind your policy support those disclosures.