By the start of 2026, twenty US states have comprehensive consumer privacy laws in force. Eight laws — covering Delaware, Iowa, Nebraska, New Hampshire, New Jersey, Tennessee, Minnesota, and Maryland — took effect during 2025. Indiana, Kentucky, and Rhode Island laws became effective January 1, 2026. Connecticut amendments, Arkansas, and Utah expansion take effect July 1, 2026. California's data broker registration regime adds a new layer August 1, 2026. The privacy community has thoroughly documented the consumer-rights provisions. What gets less attention is the security side: nearly every law includes a "reasonable security" duty, mandatory data-protection assessments for higher-risk processing, and breach-notification timelines that interact with the federal stack. Security teams need to read the laws for the obligations they create, not only the privacy program.
What does "reasonable security" actually mean across states?
Each state law obligates controllers to establish, implement, and maintain reasonable administrative, technical, and physical data security practices appropriate to the volume and nature of the personal data processed. The text is similar across states, derived loosely from the FTC's reasonable-security doctrine. What differs is enforcement posture. California has stood up a Privacy Protection Agency with rulemaking and enforcement authority. Connecticut, New Jersey, and Texas have active attorney general enforcement units. Other states are still building enforcement capacity. The practical effect is that the security floor is the same across states; the audit pressure is higher in a subset of them. Reasonable security in 2026 effectively requires a written program (people, process, technology), risk-based controls including MFA and encryption for sensitive data, third-party security oversight, an incident response capability, and the documentation to show all of the above.
What are data protection assessments and which laws require them?
Most states require a controller to conduct a written data protection assessment (DPA) before engaging in certain higher-risk processing activities. Triggering activities typically include processing sensitive personal data, targeted advertising, sale of personal data, profiling that produces legal or significant effects, and processing children's data. The DPA must weigh benefits to controller, consumer, and public against risks to the consumer, taking into account the use of de-identification, the reasonable expectations of consumers, and the context of processing. Texas, Connecticut, Colorado, Virginia, New Jersey, and others mandate DPAs in some form; California's risk-assessment regulation is the most prescriptive and most clearly aligned with security controls. DPAs become security artifacts in addition to privacy artifacts: they require a controller to identify the technical safeguards mitigating the identified risks.
What about sensitive personal data?
Sensitive categories vary slightly by state but consistently include precise geolocation, racial or ethnic origin, religion, sexual orientation, citizenship or immigration status, genetic data, biometric data, and health data. Several states require opt-in consent for processing sensitive data; others apply a heightened protection standard. The security implication is that controllers must segment systems that process sensitive personal data, apply tightened access controls, and document the additional safeguards. Many security teams have historically classified data only as "PII" or "non-PII"; the state laws now require finer classification and finer corresponding control mappings.
How do the state breach notification clocks interact with federal regimes?
Each state has its own breach notification statute, but the comprehensive privacy laws layer additional expectations including notice obligations to the attorney general for incidents above defined thresholds. A nationwide breach of a controller's systems can trigger up to fifty state attorney-general notifications under varying clocks ranging from "as expeditious as possible" to specific 30-day, 45-day, 60-day, or 90-day windows. Layered on top are FTC Safeguards Rule notification (30 days), HIPAA Breach Notification (60 days), SEC Item 1.05 disclosure (four business days from materiality determination), NYDFS Part 500 (72 hours for events, 24 hours for ransom), and CIRCIA (72/24 hours) when finalized. A modern incident-response playbook needs a notification matrix that fires the right notice to the right regulator on the right clock from the same shared evidence base.
# Notification matrix excerpt for a multistate controller
T+0 Detect incident, activate IR
T+24h NYDFS ransom payment if applicable
CIRCIA ransom payment if applicable
T+72h NYDFS event report
CIRCIA event report (when finalized)
T+4bd SEC 8-K Item 1.05 if material
T+30d FTC Safeguards Rule (>=500 customers)
T+30d Maine, Maryland, Vermont AG (date-of-discovery)
T+45d Various state AG offices (state-by-state)
T+60d HIPAA Breach Notification
T+90d Remaining state notifications
What do the 2025-2026 amendments to existing laws change?
Nine states amended their existing comprehensive privacy laws during 2025. Common amendment themes: tightened protections for minors, sometimes through an age-appropriate design overlay; expanded sensitive-data categories (especially adding consumer health data outside HIPAA scope); expanded controller obligations on automated decision-making and AI-driven profiling; and added private rights of action in limited contexts. California's risk-assessment regulation, finalized through 2025, also produced detailed timelines for first-cycle assessments. Connecticut and Arkansas added age-appropriate design code requirements with first-effective dates in 2026. Texas added a separate Data Broker Registration Act effective in 2024 with continuing operational implications. The amendment cadence indicates a maturing regulatory environment: legislatures are responding to enforcement experience and to the rapid emergence of AI use cases.
What about consumer health data and reproductive privacy?
Several states — Washington (My Health My Data Act, in effect since 2024), Nevada, and California (AB 254, AB 45) — have enacted consumer health data privacy laws that reach data not covered by HIPAA. These laws prohibit the sale of consumer health data without consent, restrict geofencing around health care facilities, and impose specific security expectations on entities holding consumer health data. For SaaS firms outside the traditional healthcare regulatory perimeter — fitness apps, mental wellness platforms, period trackers — these laws functionally extend HIPAA-style controls into the consumer technology stack. Security teams supporting such products need to apply HIPAA-grade access controls, encryption, and breach response even though no HIPAA covered entity is involved.
How does this map to controls security teams already operate?
A mature security program built for SOC 2, NIST CSF 2.0, or ISO 27001 generally satisfies the technical core of the state-privacy security requirements. The gaps tend to be administrative and documentation-focused: a written information security program approved by leadership; a documented risk and data-protection assessment regimen mapped to triggering processing activities; explicit identification of sensitive data and corresponding control mappings; a multistate notification matrix integrated with the IR plan; and vendor oversight with state-specific contractual language. Building a single control framework that supports federal regimes (HIPAA, FTC Safeguards Rule, CIRCIA, SEC, GLBA) and state regimes through a common evidence base is the only sustainable path; running parallel compliance shadows is a documented predictor of audit failure.
How Safeguard Helps
Safeguard inventories the data flows, software components, and SaaS systems that touch personal data, with classification metadata supporting fine-grained categorization including sensitive personal data and consumer health data outside HIPAA scope. Griffin AI ties processing-activity inventories to the security controls protecting each, producing data-protection-assessment evidence that maps to multiple state-law DPA requirements from one source. TPRM workflows manage third-party oversight obligations under each state regime, with contractual safeguards verification, breach-notification cooperation clauses, and continuous monitoring for material posture changes. Policy gates can also block deployments that would introduce new sensitive-data flows without corresponding DPA completion, integrating privacy and security gates into the same release control plane.