If you run a website in 2026, the privacy law landscape has shifted again. Six US states have enacted new privacy laws or significant amendments that take effect this year, joining the growing patchwork of state-level data protection regulations. Combined with GDPR enforcement in Europe and evolving requirements in Canada and Australia, staying compliant has never been more complex — or more important.

The good news? Most of these laws share common requirements. If you get your privacy policy right, you can cover the majority of them in one go. Here is a breakdown of the new privacy laws in 2026 and exactly what you need to do.

Which States Have New Privacy Laws in 2026?

Iowa Consumer Data Protection Act (ICDPA)

Iowa's privacy law, signed in 2023, reaches full enforcement in 2026. It applies to businesses that control or process data of 100,000+ Iowa consumers, or 25,000+ consumers if you derive over 50% of revenue from selling personal data. Key requirements include clear privacy notices, consumer rights to access and delete data, and opt-out mechanisms for data sales and targeted advertising.

Indiana Consumer Data Protection Act (INCDPA)

Indiana follows a similar model to Virginia's VCDPA. It applies to businesses operating in Indiana that process data of 100,000+ consumers or 25,000+ consumers with revenue from data sales. Your privacy policy must disclose categories of data collected, purposes of processing, and how consumers can exercise their rights.

Tennessee Information Protection Act (TIPA)

Tennessee's law is business-friendly but still requires meaningful privacy disclosures. It includes a 60-day cure period for violations. Revenue threshold: $25 million or processing data of 175,000+ consumers. A notable feature is its affirmative defence for businesses following the NIST Privacy Framework.

Montana Consumer Data Privacy Act (MCDPA)

Montana has one of the lowest thresholds — it applies to businesses processing data of just 50,000 consumers (excluding payment transactions). Given Montana's smaller population, this catches businesses that might not expect to be covered. You must provide privacy notices, honour opt-out requests, and conduct data protection assessments for certain processing activities.

Oregon Consumer Privacy Act (OCPA) — Amendments

Oregon's 2026 amendments expand the original law. The key change: businesses must now honour universal opt-out signals (like the Global Privacy Control browser setting). If a user's browser sends a GPC signal, you must treat it as a valid opt-out from data sales and targeted advertising. Your privacy policy must state whether you recognise these signals.

Delaware Personal Data Privacy Act (DPDPA) — Amendments

Delaware's updates align with Oregon's approach: mandatory recognition of universal opt-out mechanisms, expanded consumer rights, and new requirements around sensitive data. Delaware also requires businesses to provide clear disclosures about automated decision-making.

What Do These Laws Have in Common?

Despite being passed by different states, the new privacy laws in 2026 share remarkably similar requirements:

Privacy policy disclosures — You must clearly state what data you collect, why, who you share it with, and how long you retain it.
Consumer rights — Rights to access, correct, delete, and port personal data. Some states add the right to opt out of profiling.
Opt-out rights — Consumers can opt out of data sales, targeted advertising, and (in some states) profiling.
Universal opt-out signals — Oregon and Delaware now require honouring GPC signals. Other states may follow.
Data protection assessments — Required before processing sensitive data, selling personal data, or engaging in targeted advertising.
Sensitive data consent — Explicit consent needed before processing health data, biometric data, precise geolocation, racial/ethnic origin, or children's data.

What Website Owners Must Do Right Now

1. Update Your Privacy Policy

This is the single most important step. Your privacy policy needs to cover:

Categories of personal data you collect
Purposes for each category
Third parties you share data with (analytics, advertising, payment processors)
Consumer rights and how to exercise them
Your data retention periods
Whether you sell data or use it for targeted advertising
Whether you honour universal opt-out signals
Contact information for privacy requests

LegalForge generates a privacy policy that covers all of these requirements automatically, tailored to your specific business type and the jurisdictions you operate in.

2. Implement Opt-Out Mechanisms

Every state requires you to let consumers opt out of data sales and targeted advertising. If you use Google Analytics, Facebook Pixel, retargeting ads, or similar tools, you need a way for users to say no. At minimum, include a clear "Do Not Sell My Data" link in your footer.

3. Honour Browser Privacy Signals

If you have visitors from Oregon or Delaware, you must now detect and respect the Global Privacy Control (GPC) signal. When a browser sends this signal, treat it as an opt-out from data sales and targeted advertising — no pop-up needed.

4. Review Your Data Processing

Audit what data you collect and why. If you process sensitive data (health information, biometrics, precise location, children's data), you need explicit consent before processing. Consider conducting a formal data protection impact assessment.

5. Update Your Cookie Banner

If you serve EU visitors (GDPR) or use tracking cookies, your cookie consent banner needs to work properly. Many states now consider cookie data as personal information. Make sure your banner offers real choices, not just a "Got it" button.

Penalties for Non-Compliance

The penalties vary by state but follow a common pattern:

Iowa: Up to $7,500 per violation, enforced by the Attorney General
Indiana: Up to $7,500 per violation after a 30-day cure period
Tennessee: Up to $7,500 per violation with a 60-day cure period and NIST framework defence
Montana: Up to $7,500 per violation, 60-day cure period
Oregon: Up to $7,500 per violation, no cure period for repeat offenders
Delaware: Up to $10,000 per violation, 60-day cure period

These add up fast. A single data breach or enforcement action involving thousands of users could result in penalties in the millions.

How LegalForge Keeps You Compliant

Keeping track of privacy laws across multiple states is overwhelming, especially when the rules keep changing. That is exactly why we built LegalForge.

Our AI-powered generator creates a privacy policy, terms of service, and cookie policy tailored to your business in 60 seconds. It automatically includes the required disclosures for GDPR, CCPA, and the new privacy laws in 2026 — so you do not have to track every state law yourself.

Covers all 50 US states plus EU/UK GDPR
Auto-includes opt-out disclosures and consumer rights sections
Customised to your business type (SaaS, eCommerce, blog, app)
One-time payment of £19 — no subscription

New Privacy Laws in 2026: What Website Owners Need to Know