Ultimate Guide to Retail Privacy Laws by State

If you sell across the U.S., one privacy policy is not enough. As of June 30, 2026, 20 states have passed broad consumer privacy laws, and retailers now have to track different rules on thresholds, consent, Global Privacy Control (GPC), cure periods, and sensitive data.

Here’s the short version: if you run a retail brand, you should map your data flows, check which states you hit, review pixels and SDKs, honor opt-out signals, and set one request process that works across states. The risk often starts with normal retail tools like loyalty programs, ad tracking, session replay, geolocation, and biometric features.

What I’d focus on first:

• California is still the toughest benchmark, with a $26,625,000 revenue trigger and fines up to $7,500 per intentional violation
• Texas and Nebraska can apply even without a numeric data-volume trigger if the business is not an SBA small business
• 12 states now require businesses to honor GPC opt-out signals
• Some cure periods are gone, including in Colorado, Connecticut, and Rhode Island
• Maryland bans the sale of sensitive data
• New Jersey adds opt-in rules for teens ages 13–17 for targeted ads
• Many states use a 45-day deadline to respond to consumer requests

Quick comparison

If I were building this from scratch, I’d use the article as a simple playbook: find the states, find the data, fix the tracking, tighten vendor terms, and test the request workflow on a set schedule.

State-by-State Retail Privacy Law Reference

California and Other Established State Privacy Laws

The states below are usually the first ones multistate retailers need to map.

California's CCPA/CPRA is still the benchmark, and its annual gross revenue threshold has been inflation-adjusted to $26,625,000. For retailers, California is tougher than most states because it also covers employee data and B2B contact data. On top of that, the California Privacy Protection Agency (CPPA) can issue fines of up to $7,500 per intentional violation, calculated per affected consumer.

Virginia, Colorado, Connecticut, Utah, and Oregon all use a 100,000-consumer processing threshold. They also share the same core set of consumer rights: access, deletion, correction, portability, and opt-out of targeted advertising.

That said, the differences matter:

• Colorado and Connecticut ended their cure periods on January 1, 2025, so violations can go straight to civil penalties.
• Oregon bans the sale of data that identifies a consumer's location within a 1,750-foot radius.
• Utah uses an opt-out model for sensitive data instead of opt-in and keeps a permanent 30-day cure period.

Texas and Other State Laws Taking Effect in 2024 to 2026

Texas (TDPSA, effective July 1, 2024) and Nebraska (NDPA, effective January 1, 2025) stand out for one simple reason: they don't use a numeric revenue or data-volume threshold. If your business is not a federally defined small business under SBA guidelines, the law can apply no matter how many Texans or Nebraskans you serve.

For mid-size retailers, that's easy to miss. A company might assume it's under the line when, in these states, there may be no line to hide behind.

New Jersey (effective January 15, 2025) and Maryland (MODPA, effective October 1, 2025) add more rules retailers need to track. Maryland is the first state to ban the sale of sensitive data outright.

New Jersey requires opt-in consent for consumers ages 13–17 for targeted advertising, and its cure period sunsets in 2026. Indiana, Kentucky, and Rhode Island took effect on January 1, 2026. Rhode Island stands out because it uses a 35,000-consumer threshold and has no cure period.

How to Compare State Requirements Side by Side

When you're sizing up a state law, focus on five things: the applicability threshold, whether sensitive data uses opt-in or opt-out, whether GPC signals must be honored, the cure period status, and who enforces the law. The table below pulls together the states that matter most for multistate retailers.

These rules show up in day-to-day retail operations fast - especially in loyalty programs, customer accounts, advertising, and data-sharing flows.

sbb-itb-5f36581

Retail Data Uses That Create Privacy Obligations

Loyalty Programs, Promotions, and Customer Accounts

Loyalty programs are a common place where retail privacy duties start. When someone joins a rewards program, they usually swap personal data - purchase history, preferences, and contact details - for discounts or points.

That exchange needs to be handled plainly. Share the material terms, avoid dark patterns, and don't punish customers for using their privacy rights. Keep account data only for as long as it's needed for the purpose you disclosed.

Things get tougher when data moves beyond the loyalty program itself. Once that same data flows into tracking or ad tools, more rules can kick in.

Website Tracking, Targeted Advertising, and Data Sharing

A lot of enforcement starts with one simple mistake: loading a pixel or SDK before consent or before honoring an opt-out. Under many state privacy laws, third-party ad cookies, pixels, and SDKs can trigger a sale-or-share duty when they send identifiers to ad partners. Where required, honor Global Privacy Control signals.

Session replay tools bring a separate risk. If they run on checkout or account signup pages, they may collect sensitive inputs, including keystrokes. Sensitive form fields should be masked before the tools record anything.

Sharing data with marketing, analytics, and fulfillment vendors also brings legal duties. If your contracts are missing the right Data Processing Agreement terms and sub-processor audit rights, that vendor may be treated as a third party getting a data sale instead of a processor.

Sensitive, Children's, and Biometric Data

The toughest rules apply when retail systems collect sensitive, children's, or biometric data. This is where mistakes can get expensive fast.

Most states - excluding California, Utah, and Iowa - require explicit opt-in consent before collecting sensitive personal information. That group includes precise geolocation, health data, and biometric identifiers. Virtual try-on and AR fitting tools can also create biometric risk. In Illinois, BIPA allows a private right of action with statutory damages assessed per scan.

Children's data adds one more layer. COPPA applies to children under 13 at the federal level, but some state rules go further. New Jersey requires opt-in consent for teens ages 13–17 for targeted advertising, and Connecticut and Oregon apply heightened protections for anyone under 16. Before launch, map the data type and the state trigger.

2025 State Privacy Legislation and Regulation Roundup

How to Build a Multistate Privacy Compliance Program

Once you know which retail data uses trigger state laws, the next step is turning that work into a process your team can repeat without starting from scratch every time.

Map Data Flows and Determine Which State Laws Apply

Start with your tag and pixel inventory. Document every script that touches consumer data, including Meta, Google, TikTok pixels, SDKs, and session replay tools. These tools are a common source of data-sharing and sale risk.

Then pull one year of order data and rank your customer counts by state. Check each state's trigger on its own, because the thresholds are all over the map.

It also helps to flag high-risk processing early. That includes:

• biometrics
• precise geolocation
• profiling
• targeted advertising
• session replay tools

Run a quarterly tag re-scan too. Marketing teams often add pixels faster than legal can review them, and that gap can create real exposure.

Once the data map is done, update your notices, opt-outs, and request handling based on the states that are now in scope.

Update Notices, Consent Flows, and Consumer Request Handling

Build one base process around the consumer rights most states share, then add state-level rules where needed.

For opt-outs, honor Global Privacy Control (GPC) signals across the board. It's mandatory in 12 states, including California, Colorado, Texas, and Oregon. A privacy-choices link should send users to the right opt-out path for their state.

Consumer request handling also needs a set intake path and a clear clock. Most states require a 45-day response window, with a possible 45-day extension. A branded, multi-step intake form with validation, spam prevention, and routing to the right team can keep things orderly. It also gives you an audit trail, which matters if questions come up later.

Then it becomes a matter of keeping the program tight with assessments, vendor reviews, and a set schedule for tracking new laws.

Document Assessments and Track New State Laws

Cure periods are shrinking or disappearing, so don't count on notice-and-cure delays to buy time. Review state laws on a fixed schedule instead. Colorado and Connecticut's cure periods expired on January 1, 2025. New Jersey's expires July 15, 2026. In September 2025, California, Colorado, and Connecticut started a coordinated enforcement sweep aimed at businesses that were not honoring opt-out signals.

Clear ownership matters here. So does a set review cadence. The table below shows the repeat tasks that help keep a multistate program current:

Conclusion: Key Steps for State Privacy Compliance

Across state laws, the pattern is pretty simple: build one privacy process that can shift by state. For retailers, the biggest differences still come down to thresholds, consumer rights, and how sensitive data is handled. And California is still the only state where broad privacy laws also apply to employee and job-applicant data.

That’s why day-to-day controls matter more than one-off fixes. Put one repeatable program in place and adjust it by state as needed. In practice, that means you should:

• map your data flows
• block advertising pixels until consent
• honor Global Privacy Control signals
• use one intake path for consumer requests

Cure periods are going away. So audits and assessments need to happen on a set schedule, not just when a new law shows up. State privacy compliance isn’t a one-time project. It’s a recurring part of how the business runs.

This guide is informational only, not legal advice.

FAQs

Which state privacy laws are most likely to apply to my retail business first?

State privacy laws usually kick in based on a few common triggers: your annual revenue, how much consumer data you handle, or whether you sell personal information. Because those thresholds differ from state to state, it makes sense to start with the states where you have the most customers.

Texas and Nebraska deserve close attention. They can apply even without minimum revenue or data-volume thresholds, as long as you’re not a small business.

California tends to come into play if your annual gross revenue is more than $26,625,000.

Do I need to honor Global Privacy Control signals on my retail website?

Yes. Depending on where you do business, you may be required to honor Global Privacy Control (GPC) signals.

As of April 2026, 12 states require businesses to treat GPC as a universal opt-out mechanism. State laws don’t all work the same way, though. Each one has its own thresholds and rules, so you’ll want to confirm whether your business falls within a given state’s scope.

For national retailers, honoring GPC across the board is often a strong compliance baseline.

What retail tools create the biggest privacy compliance risks?

Tools tied to loyalty programs, behavioral advertising, and third-party data tracking create the biggest privacy compliance risks.

Why? Because they often collect personal information, build profiles across different contexts, and share data with outside vendors.

High-risk examples include:

• cookie-consent banners
• ad-tech integrations
• loyalty-analytics dashboards

These tools need to be set up to honor Global Privacy Control signals and offer the opt-out choices required under state laws.

Related Blog Posts

• GDPR vs. CCPA: E-Commerce Data Compliance
• Retail Data Collection: Privacy Best Practices
• Checklist for State Healthcare Privacy Compliance
• 2025 Privacy Laws: Impact on Lead Generation