19 US States Have Privacy Laws in 2026 — Document Retention Checklist

TL;DR

As of January 1, 2026, 19 US states have enacted comprehensive consumer privacy legislation. Indiana, Kentucky, and Rhode Island joined the list in 2026. With multi-jurisdictional enforcement now standard—coordinated by the 10-state Consortium of Privacy Regulators—businesses need organized compliance documentation. Convert: Anything to PDF and Convert: Web to PDF let you save compliance records, policy versions, and regulatory guidance locally—free, no upload, no account.

---

The 19-State Privacy Law Map in 2026

Comprehensive consumer privacy legislation—following broadly similar models to the CCPA and GDPR—now covers a substantial majority of the US population. As of January 1, 2026:

Enforcing as of 2026:

• California (CCPA, CPRA) — the template for most state laws
• Virginia (VCDPA)
• Colorado (CPA)
• Connecticut (CTDPA)
• Utah (UCPA)
• Iowa (ICDPA)
• Indiana (IDPL) — effective January 1, 2026
• Tennessee (TIPA)
• Montana (MCDPA)
• Texas (TDPSA)
• Oregon (OCPA)
• Florida (FDBR)
• Delaware (DPDPA)
• New Hampshire (NHPA)
• New Jersey (NJDPA)
• Nebraska (NDPA)
• Minnesota (MHRA)
• Kentucky (KCPA) — effective January 1, 2026
• Rhode Island (RIDPP) — effective January 1, 2026

This isn't a federal law—it's 19 separate state laws, each with distinct requirements, definitions, consumer rights, and enforcement mechanisms. Compliance isn't a single standard; it's a matrix.

---

Why Multi-Jurisdictional Enforcement Has Changed the Calculus

For years, state privacy law enforcement was primarily the domain of individual state attorneys general, each operating independently. The 2025 formation of the Consortium of Privacy Regulators—now comprising 10 states—changed the enforcement landscape materially.

What the Consortium does:

• Pools investigative resources across member states
• Shares intelligence on potential violations, complaints, and patterns
• Coordinates joint enforcement actions so multiple states can act simultaneously
• Allows smaller states to participate in enforcement of violations they couldn't pursue alone

The practical effect: A business in Texas that collects data from California, Virginia, and Connecticut residents previously faced enforcement risk from three separate AGs with separate teams, caseloads, and priorities. Today, a complaint to the Consortium can trigger a coordinated review by up to 10 states simultaneously.

The Illuminate Education settlement—involving California, Connecticut, and New York—was an early example of this coordination. Expect more.

---

What Compliance Documentation You Should Maintain

Privacy Policy Version History

Privacy policies are legal documents that change. The document you publish today may differ from what you published six months ago. In enforcement proceedings, investigators often want to know what your privacy policy said at the time a specific consumer's data was collected.

What to document:

• Your current privacy policy as a PDF (date it clearly)
• Material updates: save a new PDF any time you change consent language, data retention clauses, or consumer rights disclosures
• The policy that was in effect on any date relevant to a specific enforcement inquiry

Data Processing Records

Under most state privacy laws, controllers (companies that determine how data is used) must maintain records of their processing activities. These typically include:

• Categories of personal data collected
• Purposes for which data is used
• Categories of third parties with whom data is shared
• How long data is retained

These records are often maintained in internal documents—spreadsheets, Word documents, internal wikis. Converting them to PDF creates a stable, datable record that's appropriate for an audit response.

Vendor Data Processing Agreements

You likely share personal data with vendors: email marketing platforms, analytics providers, customer support tools, payment processors. Most state privacy laws require written data processing agreements (DPAs) with these vendors.

Maintaining PDFs of executed DPAs—as of the date they were signed and at each amendment—is basic compliance hygiene. These are the documents you produce when an AG asks "show me your agreements with your data processors."

Consumer Rights Request Records

State privacy laws give consumers the right to access, correct, delete, and port their personal data. They also typically give consumers the right to opt out of data sales, targeted advertising, and profiling.

When you receive and respond to these requests, maintaining records—who requested what, when, and how you responded—creates the audit trail that demonstrates compliance. Even simple records (a dated PDF of the request and your response) are sufficient for most small-to-mid-size businesses.

Regulatory Guidance Documents

State privacy regulators publish guidance, enforcement priorities, FAQ documents, and rule interpretations. These documents are published on government websites and change as regulators refine their positions.

Saving regulatory guidance as PDF when you read it documents your compliance understanding at that point in time. If a regulator later issues guidance that changes the interpretation, having the earlier guidance shows you acted in good faith under the standards that existed when you made your compliance decisions.

---

The CCPA DROP Platform: What to Document

California launched the Delete Request and Opt-out Platform (DROP) on January 1, 2026. Data brokers must check the platform every 45 days starting August 1, 2026.

If your business qualifies as a data broker under California law (broadly: selling or sharing personal information collected about consumers with whom you don't have a direct relationship), you need to:

1. Register with the CPPA's data broker registry
2. Access the DROP platform on the required schedule
3. Process opt-out and deletion requests submitted through the platform
4. Maintain records of that processing

Documentation for DROP compliance:

• Your registration confirmation
• Records of each DROP platform access and requests processed
• Your internal process for handling DROP requests

These records are candidates for PDF conversion and archiving—they're the evidence you'd present in an audit.

---

How to Build a Practical Privacy Compliance Document Library

You don't need enterprise compliance software to maintain this documentation. A structured folder system with dated PDFs handles the compliance documentation needs of most small-to-mid-size businesses.

Recommended Folder Structure

Privacy Compliance/
  Policies/
    PrivacyPolicy_2026-01-01.pdf
    PrivacyPolicy_2026-04-01.pdf (updated)
    TermsOfService_2026-01-01.pdf
  Vendor DPAs/
    Mailchimp_DPA_2025-11-15.pdf
    GoogleAnalytics_DPA_2026-01-01.pdf
    Stripe_DPA_2025-09-01.pdf
  Regulatory Guidance/
    California_CPPA_DataBrokerFAQ_2026-03-15.pdf
    Virginia_AG_EnforcementGuidance_2026-02-01.pdf
  Consumer Rights Requests/
    Request_2026-04-15_Access_Response.pdf
    Request_2026-04-22_Deletion_Response.pdf
  Risk Assessments/
    DataProcessingRiskAssessment_2026-01-01.pdf

Converting Policy Pages to PDF

Your published privacy policy lives at a URL on your website. Convert: Web to PDF captures it as a clean, searchable PDF in one click. The file's creation date records when you captured it.

Set a calendar reminder to capture your policy any time you make updates.

Converting Vendor DPAs to PDF

DPAs from SaaS vendors are typically:

• Web pages you must accept in the vendor's admin portal
• PDF downloads the vendor provides
• Embedded in the vendor's terms of service

For web-based DPAs, Convert: Web to PDF captures the accepted version. For downloaded files, Convert: Anything to PDF converts Word or other formats to PDF if the vendor provides them in a non-PDF format.

Converting Internal Documents to PDF

Internal privacy documentation—data maps, risk assessments, processing records—often lives in Word documents, Google Docs, or Excel spreadsheets. Converting these to PDF creates stable, dated snapshots that aren't accidentally modified.

Convert: Anything to PDF handles Word (.docx), Excel (.xlsx), and other common formats locally—no upload, no cloud service that might store your sensitive internal compliance documents.

---

State-Specific Nuances Worth Documenting

California

The CPPA has the most active enforcement program. Key documentation priorities: data broker registration, DROP platform compliance records, and consent records for sensitive data processing.

Texas

Texas's TDPSA creates liability for businesses that don't respond to consumer requests within 45 business days. Maintaining timestamped records of requests and responses is directly relevant to the statutory safe harbor.

Indiana, Kentucky, Rhode Island (New in 2026)

These states largely follow the Virginia VCDPA model, with broadly similar consumer rights and controller obligations. The key for businesses: if you weren't compliant with Virginia, you're now exposed in three more states. Same compliance program often covers all three.

Oregon

Oregon's OCPA has some of the broadest definitions—particularly around "sensitive data"—and was one of the first state laws to explicitly address data broker obligations in detail.

---

Comparison: Manual Documentation vs. Compliance Software

Approach	Cost	Effort	Appropriate For
Manual PDF filing (extensions)	Free	Low	Small businesses, solo operators
Spreadsheet + PDF	Free	Medium	Small-to-mid businesses
Privacy management software (OneTrust, TrustArc)	$5K–$50K+/year	Medium	Mid-to-large enterprises
Legal counsel engagement	Variable	Low (for client)	All sizes for high-stakes review
Automated compliance platforms	$500–$2K/year	Low	Growing SMBs

For businesses under roughly 50 employees, a structured manual filing system with PDFs is genuinely sufficient for most state privacy law documentation requirements. The cost of enterprise compliance software is only justified when the volume and complexity of compliance work exceeds what manual processes can handle.

---

Frequently Asked Questions

Q: Do I have to comply with every state's privacy law if I have customers everywhere?

Generally, yes—most state privacy laws apply based on where consumers reside, not where your business is located. A business in Ohio with California customers must comply with CCPA. However, many state laws have thresholds (California's threshold is processing data of 100,000+ consumers/year or deriving 50%+ of revenue from selling personal data), so smaller businesses may fall below some thresholds.

Q: How is the 19-state landscape expected to evolve?

Several additional states have privacy legislation in various stages of passage. Industry observers expect 25+ states to have comprehensive privacy laws by 2027. A federal privacy law remains politically stalled but is discussed annually.

Q: Is GDPR compliance still relevant for US businesses in 2026?

Yes, if you have EU or UK customers. GDPR and UK GDPR continue to apply. Most well-structured US state privacy compliance programs have significant overlap with GDPR requirements, making combined compliance more manageable.

Q: What's the typical penalty for state privacy law violations?

Penalties vary by state. California's CPPA can seek up to $2,500 per unintentional violation and $7,500 per intentional violation. Texas can seek up to $7,500 per violation. Multi-state enforcement multiplies these amounts. Class action exposure varies—some states allow private rights of action (California for data breaches), others don't.

Q: Should small businesses be worried about enforcement?

The current enforcement focus is on large platforms and data brokers. But the trend is toward broader enforcement as state programs mature. The Consortium enables smaller investigations that would previously have been below individual AGs' radar. Having basic documentation in place protects you even if enforcement never comes.

---

The Bottom Line

Nineteen state privacy laws, a coordinating enforcement consortium, and the COPPA April 2026 deadline together represent the most active period of US privacy law enforcement ever. The documentation requirement is real—and it doesn't require expensive software.

Convert: Anything to PDF converts your internal compliance documents, vendor agreements, and exported records locally. Convert: Web to PDF saves your published policies and regulatory guidance pages from any browser.

Build the folder. Date the files. The compliance documentation you need is mostly already in your systems—it just needs to be captured.