Data privacy laws exist around the world on nearly every continent.
In this data privacy laws and regulations guide for 2026, I walk you through laws by region that are in effect and explain what businesses they impact, what rights they outline for your consumers, and the penalties for violating them.
- What To Know About Privacy Laws in 2026
- What U.S. Data Privacy Laws Might Impact You in 2026?
- European Data Privacy Laws That Might Impact You In 2026
- What Data Privacy Laws Exist in 2026 in Other Parts of the World?
- How to Comply with Privacy Laws in 2026?
- What Are the 2026 Privacy Policy Requirements?
- How Can Businesses Manage User Consent in Compliance with 2026 Privacy Laws?
- How Can Businesses Manage Consumer Privacy Rights in 2026?
- How Does Termly Help Simplify Compliance with Privacy Laws?
What To Know About Privacy Laws in 2026
As of 2026, privacy laws exist in around 144 countries around the world.
If you operate online, there’s a good chance your business falls under at least one privacy law.
You’ll need to prepare your website, apps, or other digital platforms to comply with the guidelines of all applicable laws and ensure your users can properly follow through on their privacy rights.
Here’s a shortlist of what your business might legally need:
- Comprehensive privacy policy
- Updated cookie policy
- Properly configured cookie consent banner
- Consent management platform with access to a preference center
- DSAR process or workflow
Keep reading to learn more about the privacy laws that exist as of 2026 and discover if and how they impact you.
What U.S. Data Privacy Laws Might Impact You in 2026?
As of 2026, the U.S. still does not currently have a federal comprehensive consumer data privacy protection law.
However, there are state-level privacy laws in place protecting large parts of the country.
At the federal level, there are privacy laws protecting children, health and sensitive information, and financial data.
Termly has several resources available on our website to help you easily keep up with the evolving legal landscape, like our U.S. state data privacy law tracker map.
What Are the Different U.S. State Level Privacy Laws as of 2026?
Currently, around 20 U.S. states have passed a comprehensive consumer data privacy law and all are actively in force.
This means they’re enforceable and must be followed if they apply to your business, or you risk:
The U.S. state-level privacy laws that are currently active include:
California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act (CCPA) entered into force on January 1, 2020.
It was amended by the California Privacy Rights Act (CPRA), which became operative on January 1, 2023
Who it applies to:
The CCPA applies to any for-profit entity doing business in California that meets any of the following thresholds:
- Has a gross annual revenue over $25,000,000,
- Buys, sells, or shares the personal information of 100,000 or more California residents or households, or
- Derives 50% or more of annual revenue from selling the personal information of California residents.
Consumer rights:
Under the amended CCPA, consumers have the right to be notified before or at the point of data collection about what types of data a business is collecting and what they might do with it.
They also have the right to request the following:
- Know information about data businesses collect about you, including the categories/pieces of personal information they collect about you, the categories of the sources of the information, the categories of the third parties the information is disclosed to, the categories of information you sell or share to third parties, up to twice every calendar year for free.
- Delete the information they have on you and inform all of their service providers to also do so, with some exceptions, including when preventing the information of the consumer from being sold and compliance with laws.
- Correct information a business collected about you.
- Opt-out of the sale or sharing of your personal information with any third parties, including through user-enabled global privacy controls, which are set using tools like GPC.
- Limit the use and disclosure of sensitive personal information which includes specific details, like social security numbers, financial data, precise geolocation, and genetic data.
- Obtain a portable copy of their data
The CCPA also grants consumers the right to nondiscrimination for following through on any of their privacy rights.
Penalties for noncompliance:
Severe or repeat violations under the CCPA can lead to a fine of up to $7,500 per incident; less-severe infractions can reach up to $2,500 per incident.
Consumers can also sue for statutory damages between $100 to $750 per incident for breaches involving their unencrypted or unredacted personal information, or they can sue for the actual amount of monetary damage suffered from the breach, when it meets certain conditions.
Colorado Privacy Act (CPA)
Enforcement date:
The Colorado Privacy Act (CPA) entered into force on July 1, 2023.
Who it applies to:
This law applies to entities that do business in Colorado or target residents of the state that meet either of the following:
- Controls or processes the personal data of more than 100,000 consumer annually, or
- Derives revenue or discounts from the sale of personal data and controls or processes the data of more than 25,000 consumers annually.
Penalties for noncompliance:
The CPA is considered a deceptive trade practice by the Attorney General, and fines can reach up to $20,000 per violation.
Consumer rights:
Under this law, consumers have the following rights:
- Request to access all personal data an entity collected about them.
- Request to have the personal data deleted.
- Request to correct inaccuracies in data collected about them.
- Get a portable copy of their data upon request, when technically feasible.
- Opt-out of targeted advertising, the sale of data, and profiling.
Connecticut Data Privacy Act (CTDPA)
The Connecticut Data Privacy Act (CTDPA) entered into force on July 1, 2023.
Who it applies to:
The CTDPA applies to entities that do business in Connecticut or target residents of the state and meet either threshold within a calendar year:
- Processes the personal data of more than 35,000 consumers (excluding data solely used to complete a payment transaction),
- Processes consumers’ sensitive data (excluding data solely used to complete a payment transaction), or
- Offer consumers’ personal data for sale in trade or commerce.
Penalties for noncompliance:
Fines for violating the CTDPA can reach as high as $5,000 per willful violation, and the law is enforced by the Attorney General.
Consumer rights:
Under this law, consumers have the following rights over their personal information:
- Confirm if an entity is collecting data about them,
- Access that personal data,
- Request to correct inaccuracies in data collected about them,
- Request to delete the data collected about them,
- Obtain a portable copy of their data,
- Opt-out of the sale of data, targeted advertising, and certain profiling.
- Obtain a list of third parties to which data was sold to
- Question the results of profiling, be informed of the reason that the profiling resulted in the decision, review the consumer’s data used in the profiling, and if the profiling decision concerned housing, to have the data corrected and the profiling decision reevaluated based upon the corrected data.
Consent is also required by consumers before an entity can process their sensitive personal information, which is a special category of data that includes more vulnerable details about individuals.
Delaware Personal Data Privacy Act (DPDPA)
The Delaware Personal Data Privacy Act (DPDPA) entered into force on January 1, 2025.
Who it applies to:
The DPDPA applies to entities that do business in Delaware or targets residents of the states the meet either of the following the year prior:
- Controls or processes the personal data of more than 35,000 consumers, excluding data processes solely to complete a payment transaction, or
- Controls or processes the personal data of more than 10,000 consumers and derives 20% or more of your gross annual revenue from the sale of personal data.
Penalties for noncompliance:
Violating the DPDPA can lead to fines of up to $10,000 per incident, and the law is enforced exclusively by the state Attorney General.
Consumer rights:
Consumers protected by the DPDPA have the following rights:
- Confirm if an entity is collecting data about them,
- Access the data being collected about them,
- Ask a business to correct inaccuracies in the data collected about them,
- Ask a business to delete the data collected about them,
- Obtain a portable copy of their data
- Opt out of the sale of their personal data or having data used for targeted advertising and profiling.
- Obtain a list of categories of third parties to which data was disclosed to
Florida Digital Bill of Rights (FDBR)
The Florida Digital Bill of Rights (FDBR) took effect on July 1, 2024.
Who it applies to:
This digital bill of rights applies to businesses that earn over $1 billion in global gross annual revenue meet one of the following thresholds:
- Derives 50% or more from selling online ads
- Operates voice-command services
- App stores with at least 250,000 software applications
Penalties for noncompliance:
Those found in noncompliance with the FDBR could face significant penalties of $50,000 per violation, an amount that increases depending on the severity of the infraction.
The law is enforced by the Attorney General.
Consumer rights:
This law gives Florida consumers the following rights over their personal information:
- Confirmation of data collection,
- Access to the data,
- Correct inaccuracies in the data,
- Request to delete their data,
- Obtain a portable copy of their data,
- Opt out of the sale of their data, targeted advertising, profiling, collection of sensitive data, processing sensitive data, and collection of data collected through the operation of a voice or facial recognition feature.
Indiana Consumer Data Protection Act (ICDPA)
The Indiana Consumer Data Protection Act (ICDPA) entered into force on January 1, 2026.
Who it applies to:
The ICDPA applies to any business in Indiana or those that target residents of the state who meet the following criteria:
- Controls or processes the personal data of more than 100,000 consumers, or
- Controls or processes the personal data of more than 25,000 consumers and derives more than 50% of their gross annual revenue from the sale of that data.
Penalties for noncompliance:
Violating Indiana’s data privacy law can lead to fines of up to $7,500 per violation, and the law is enforced by the state Attorney General.
Consumer rights:
Consumers protected by the ICDPA have the following rights over their personal information:
- Confirmation of data collection,
- Right to access their personal data,
- Right to correct inaccuracies in their data,
- Right to request to have their data deleted,
- Request to access a portable copy of their data,
- Opt-out of the sale of their data, targeted advertising, and profiling
Under this law, opt-in consent is required by the consumer before a business can collect their sensitive personal information, which includes more vulnerable, personal details.
Iowa Consumer Data Protection Act (ICDPA)
The Iowa Consumer Data Protection Act (ICDPA) took effect on January 1, 2025.
Who it applies to:
The Iowa privacy law applies to any businesses in the state or who targets residents of the state and meet one of the following guidelines within a calendar year:
- Controls or processes the personal data of more than 100,000 consumers, or
- Controls or processes the personal data of at least 25,000 consumers and generates over 50% gross annual revenue from the sale of data.
Penalties for noncompliance:
Penalties for noncompliance under the ICDPA include potential fines of up to $7,500 per violation.
This law is enforced by the state Attorney General.
Consumer rights:
Under the Iowa consumer data privacy law, users have the following rights over their personal information:
- Confirm if an entity is processing their data,
- Access the data an entity is processing about them,
- Request that their data is deleted
- Obtain a portable copy of their data
- Opt out of the sale of their data, targeted advertising, and the collection and processing of sensitive personal data.
Kentucky Consumer Data Protection Act (KCDPA)
The Kentucky Consumer Data Protection Act (KCDPA) entered into force on January 1, 2026.
Who it applies to:
This law applies to any entity that does businesses in Kentucky or targets residents of the state and meets the following guidelines:
- Processes and controls the personal data of at least 100,000 consumers or
- Processes and controls the personal data of at least 25,000 consumers and earns 50% of gross annual revenue from the sale of personal data.
Penalties for noncompliance:
Penalties for violating the KCDPA include fines as high as $7,500 per incident. This law is enforced by the state Attorney General.
Consumer rights:
Under Kentucky’s new data privacy law, consumers have the following rights:
- Confirm if a controller is processing their personal data,
- Access the personal data collected about them,
- Correct inaccuracies in their personal data,
- Delete their personal data,
- Obtain a portable copy of their data when technically feasible,
- Opt-out of targeted advertising, the sale of personal data, and profiling.
Maryland Online Data Protection Act (MODPA)
The Maryland Online Data Protection Act (MODPA) entered inro force on October 1, 2025.
Who it applies to:
Entities fall under the MODPA if they conduct business in the state or target residents of the state and meet either of the following in a calendar year:
- Controls or processes the personal data of at least 35,000 consumers, excluding payment transactions, or
- Controls or processes the personal data of at least 10,000 consumers and derives more than 20% of gross annual revenue from the sale of the data.
The MODPA has no monetary threshold, so it may impact businesses of any size.
Penalties for noncompliance:
Fines for violating the MODPA can reach as high as $10,000 per incident.
It’s enforced by the state Attorney General.
Consumer rights:
Consumers in Maryland have the following rights under this data privacy law:
- Confirm if a controller is processing their data
- Access the data
- Correct inaccuracies in the data
- Require a controller to delete the data
- Obtain a portable copy of their personal data
- Obtain a list of the third parties their data is disclosed to
- Opt out of data processing for targeted advertising, the sale of their data, and certain kinds of profiling.
Minnesota Consumer Data Privacy Act (MCDPA) – in force July 31, 2025
The Minnesota Consumer Data Privacy Act (MCDPA) entered into force on July 31, 2025.
Who it applies to:
Businesses fall under the scope of the MCDPA is they conduct business in Minnesota or target residents of the state and meet either of the following:
- Controls or processes the personal data of 100,000 consumers during a calendar year, excluding data processed solely to complete a payment transaction, or
- Derives over 25% of gross revenue from the sale of personal data and processes or controllers the data of 25,000 consumers or more.
Penalties for noncompliance:
Violating the MCDPA can cost you as much as $7,500 per incident. The state Attorney General enforces the law.
Consumer rights:
The MCDPA impacts consumers by granting them the following rights over their personal data:
Under the Minnesota privacy law, consumers have the following rights:
- Confirm if a controller is processing their personal data,
- Access the categories of personal data being processed,
- Correct inaccuracies in their personal data,
- Delete their personal data,
- Obtain a portable copy of the personal data collected about them,
- Opt out of processing for the purposes of targeted advertising, the sale of their personal data, and profiling in furtherance of automated decisions that produce legal effects,
- Obtain a list of the third-parties a controller has disclosed their personal information to.
- Question the results of profiling, be informed of the reason that the profiling resulted in the decision, be informed of what actions the consumer might have taken to secure a different decision and the actions that the consumer might take to secure a different decision in the future, review the consumer’s data used in the profiling, and have the data corrected and the profiling decision reevaluated based upon the corrected data.
Montana Consumer Data Privacy Act (MCDPA)
The Montana Consumer Data Privacy Act (MCDPA) entered into force on October 1, 2024.
Who it applies to:
As of October 1, 2025, the MCDPA applies to any entity that conducts business in the state or targets Montana residents and either:
- Controls or processes the personal data of at least 25,000 consumers, or
- Controls or processes the personal data of at least 15,000 consumers and derives more than 25% gross annual revenue from the sale of personal data.
Penalties for noncompliance:
Fines for violating Montana’s data privacy law can reach as high as $7,500 per incident.
Investigations and penalties are carried out by the state Attorney General.
Consumer rights:
Under this law, Montana consumers have the following rights:
- Confirm if a controller is processing their personal data,
- Access that data,
- Correct inaccuracies in the data,
- Delete personal data about themselves,
- Obtain a portable copy of their personal data
- Opt-out of the processing of personal data for the purposes of targeted advertising, the sale of personal data, or profiling
Nebraska Data Privacy Act (NDPA)
The Nebraska Data Privacy Act (NDPA) took effect on January 1, 2025.
Who it applies to:
This law applies to entities that conduct business in Nebraska or target residents of the state and:
- Processes or engages in the sale of personal data and
- Is not a small business as determined under the federal Small Business Act
The other law with a similar threshold is the Texas Data Privacy and Security Act (TDPSA).
Penalties for noncompliance:
Violating the Nebraska Data Privacy Act can lead to fines of up to $7,500 per incident.
Consumer rights:
Under this law, Nebraska consumers have the following rights:
- Confirm if a controller is processing data about them’
- Access that data,
- Correct inaccuracies in their data
- Delete the data provided by or obtained about them
- Obtain a portable copy of their data
- Opt-out of targeted advertising, the sale of their data, and profiling
New Hampshire Data Privacy Act (NHDPA)
The New Hampshire Data Privacy Act (NHDPA) went into effect on January 1, 2025.
Who it applies to:
You must comply with New Hampshire’s privacy law if you conduct business in the state or target state residents and meet either of the following:
- Controls or processes the personal data of at least 35,000 unique consumers, excluding data processed solely to complete a payment transaction.
- Controls or processes the personal data of no less than 10,000 unique consumers and derives more than 25% of their gross annual revenue from the sale of personal data.
Penalties for noncompliance:
Violating the New Hampshire data privacy law can lead to large fines of up to $10,000 per incident.
This law is enforced by the state Attorney General and is considered an unfair method of competition or a deceptive act or practice.
Consumer rights:
New Hampshire consumers have the following rights under this state-level privacy law:
- Confirm if a controller is processing their personal data,
- Access the information the controller processes about them (unless accessing it exposes a trade secret),
- Correct inaccuracies in their information,
- Delete data provided by or obtained about them,
- Obtain a portable copy of their data,
- Opt out of the processing of personal data for targeted advertising, the sale of their personal data, and profiling.
New Jersey Data Privacy Act (NJDPA)
The New Jersey Data Privacy Act (NJDPA) took effect on January 15, 2025.
Who it applies to:
The NJDPA applies to any entities that conduct business in the state or who target residents of the state and meet either of the following in a calendar year:
- Controls or processes the personal data of 100,000 individuals, excluding data processed solely for the purpose of completing payment transactions.
- Controls or processes the personal data of at least 25,000 individuals and derives revenue from or receives a discount for selling the information.
Penalties for noncompliance:
Fines for violating the NJDPA can start at up to $10,000 for first-time offenses, and up to $20,000 for repeat offenders.
This law is enforced by the state Attorney General.
Consumer rights:
Under this law, New Jersey consumers have the following rights:
- Confirm if a controller is collecting their data
- Access the personal data collected about them.
- Correct inaccuracies in their personal data.
- Delete their personal data.
- Obtain a portable copy of their personal data.
- Opt-out of the processing of their data for targeted advertising, the sale of their information, and profiling.
- Nondiscrimination for acting on their privacy rights.
Oregon Consumer Privacy Act (OCPA)
The Oregon Consumer Privacy Act (OCPA) became active on July 1, 2024.
Who it applies to:
You must follow the OCPA if you conduct business in Oregon or target residents of the state and meet either threshold in a calendar year:
- Controls or processes personal data of 100,000 or more consumers, excluding data controlled or processed solely to complete payment transactions, or
- Controls or processes personal data of 25,000 or more consumers while deriving 25% or more of your gross annual revenue from the sale of personal data.
Penalties for noncompliance:
Fines for violating the Oregon privacy law can reach as high as $7,500 per incident.
It’s enforced by the state Attorney General.
Consumer rights:
Consumers have the following rights under this privacy law:
- Confirm if a controller processed personal information about them,
- Access the categories of data processes about them,
- Obtain a list of the specific third parties the data is shared with.
- Obtain a portable copy of all personal being processed.
- Correct inaccuracies in their personal data.
- Require a controller to delete their personal data, including data the consumer provided to the controller and data obtained from another source.
- Opt out of targeted advertising, the sale of their data, or profiling.
Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)
The Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) became effective on January 1, 2026.
Who it applies to:
For-profit entities must follow this law if you conduct business in the state or target Rhode Island consumers and meet either of the following in a calendar year:
- Controls or processes the personal data of 35,000 customers, excluding data processed solely to complete a payment transaction, or
- Controls or processes the personal data of 10,000 customers and earns 20% or more gross revenue from the sale of personal data.
Penalties for noncompliance:
Fines for violating this law can reach between $100 to $500 per incident and it is enforced by the state Attorney General.
Consumer rights:
Consumers under this law have the following rights:
- Confirm if a controller is processing their personal data,
- Access that data,
- Correct inaccuracies in their data,
- Request to delete their personal data,
- Obtain a portable copy of their personal data,
- Opt-out of data processing for targeted advertising, the sale of data, or profiling,
- Opt-in to the collection of sensitive personal data.
Tennessee Information Protection Act (TIPA)
The Tennessee Information Protection Act (TIPA) entered into force on July 1, 2025.
Who it applies to:
You must follow Tennessee’s privacy law if you do business in the state or target residents of the state, earn more than $25 million in annual revenue, and either:
- Processes or controls the personal information of at least 175,000 Tennessee consumers during a calendar year, or
- Processes or controls the personal information of at least 25,000 consumers and derive 50% of gross annual revenue from the sale of that information.
Penalties for noncompliance:
Fines for violating the TIPA can reach as high as $7,500 per incident and the law is enforced by the state Attorney General.
Consumer rights:
The TIPA provides Tennessee consumers with the following rights:
- Confirm if a controller is processing their personal information,
- Access that data,
- Correct inaccuracies in their information,
- Delete the personal information provided by or obtained about the consumer (however, the controller does not need to delete aggregated or de-identified information),
- Obtain a portable copy of their personal information,
- Opt out of selling their data, targeted advertising, and profiling,
- Opt-in to the collection of sensitive personal data.
Texas Data Privacy and Security Act (TDPSA)
The Texas Data Privacy and Security Act (TDPSA) took effect on July 1, 2024.
Who it applies to:
If you meet the following guidelines, then your business needs to follow the TDPSA:
- Conducts business in Texas or produces goods or services consumed by residents of the state
- Processes or sells personal data
- Is not a small business as defined by the United States Small Business Administration (SBA) (i.e., companies with fewer than 500 employees) unless the business engages in the sale of sensitive personal data
Penalties for noncompliance:
Noncompliance under the TDPSA can lead to fines of up to $7,500 per incident, and the law is enforced by the state Attorney General.
Consumer rights:
Consumers have the following rights under the Texas privacy law:
- Confirm if a controller is processing their data,
- Access the personal data collected about them,
- Correct inaccuracies in their data, taking into account the nature of it and the purpose of processing,
- Delete the data provided by or obtained about the consumer,
- Obtain a portable copy of their data, if it’s available in a digital format,
- Non-discrimination,
- Opt out of processing personal data for targeted advertising, the sale of their data, or profiling.
- Opt-in to the collection of sensitive personal data.
Utah Consumer Privacy Act (UCPA)
The Utah Consumer Privacy Act (UCPA) entered into force on December 31, 2023.
Who it applies to:
You must follow the UCPA if you do business in the state or target residents of the state, has an annual revenue of $25 million or more, and meet either or the following in a calendar year:
- Controls or processes personal data of more than 100,000 consumers, or
- Controls and processes personal data of more than 25,000 consumers and derives over 50% gross revenue from selling personal data.
Penalties for noncompliance:
Penalties for noncompliance under the UCPA can reach as high as $7,500 per incident.
The law is enforced by the state Attorney General.
Consumer rights:
Under this law, consumers have the following rights:
- Confirm if an entity is collecting personal data about them,
- Access the personal data collected about them,
- Request to delete data collected about them,
- Obtain a portable copy of their data,
- Opt out of the selling of data or targeted advertising.
Virginia Consumer Data Protection Act (VCDPA)
Enforcement date: The Virginia Consumer Data Protection Act (VCDPA) entered into force on January 1, 2023.
Who it applies to:
You must follow the VCDPA if you conduct business in Virginia or target your products and services to residents of the state and meet either of the following:
- Controls or processes the personal data of 100,000 consumers during a calendar year, or
- Controls or processes the personal data of 25,000 consumers and earns 50% of gross revenue from the sale of personal data.
Penalties for noncompliance:
Violating the Virginia privacy law can lead to fines between $2,500 and $7,500 per incident, depending on the severity of the violation.
The law is enforced by the state Attorney General.
Consumer rights:
Under the VCDPA, consumers have the following rights over their data:
- Confirm if a controller is processing their data
- Access their personal data
- Correct inaccuracies in their data
- Request deletion by businesses
- Obtain a portable copy of personal data
- Opt-out of the processing of personal data for targeted advertising, the sale of their personal data, and profiling
- Non-discrimination for exercising rights
Are There Any Federal U.S. Laws Related to Privacy?
Several privacy-related laws at the federal level in the U.S., impose restrictions, guidelines, and obligations around how entities collect and use personal data, for example:
European Data Privacy Laws That Might Impact You In 2026
In Europe, the data privacy legal framework is made up by three major laws:
The ePrivacy Directive entered into force back in 2002, whereas the GDPR is a newer regulation accounting for the modern internet and entered into force in January 2018.
The EU AI Act is the most recent of the three and entered into force in August 2024.
Who it applies to:
The EU data privacy legal landscape has a very broad global impact, and businesses small and large around the world are subject to complying with these regulations.
The GDPR, for example, applies to any entity in Europe, or any entity that processes personal data of people in Europe or the EEA by offering goods or services or monitoring their online behaviors.
It has no monetary thresholds or data collection limits.
The ePrivacy Directive is similar and applies to any website using tracking technologies with EU/EEA visitors.
The EU AI Act is just as broad and applies to any entity creating AI products and releasing them in Europe.
Penalties for noncompliance:
Penalties for violating the GDPR include very significant fines of up to €10 million ($12 million) or 2% of your gross annual revenue, whatever is higher.
However, repeat offenses or more severe penalties could result in fines of up to €20 million ($23 million) or 4% of your gross annual revenue, whatever is higher.
Violations of the ePrivacy Directive are typically lumped under investigations under the GDPR.
Under the EU AI Act, the fines are tiered depending on the severity of the penalty and include the following:
- For prohibited practices, fines reach up to €35 million or 7% of your global annual revenue,
- For most obligations, fines reach up to €15 million or 3% of your global annual revenue,
- For providing misleading information, fines may reach up to €7.5 million or 1% of your global annual revenue.
Each EU member state is responsible for carrying out investigations and penalizing entities that violate any of the obligations and requirements outlined by these laws and regulations.
Consumer rights:
The GDPR and grants data subjects with the following rights over their personal data:
- Right to be informed about data collect,
- Right to access the data,
- Right to rectify/correct data,
- Right to erasure (right to be forgotten),
- Right to data portability,
- Right to opt out of automated decision-making & profiling.
The ePrivacy Directive grants users with similar key rights that relate specifically to the GDPR principles, including:
- Confidentiality of communications,
- Consent for tracking/cookies,
- Protection from spam,
- Data erasure/anonymization,
- Right to be informed.
Finally, the EU AI Act provides consumers with the following rights with regards to how entities sell and produce AI products:
- Transparency when AI generates content,
- Mandates ‘human-in-the-loop’/human oversight,
- Prohibits practices and AI that manipulates individuals and exploits vulnerabilities,
- Outlines data protection for AI by encouraging data anonymization and encryption.
What Data Privacy Laws Exist in 2026 in Other Parts of the World?
Beyond the U.S., Europe, and the UK, there are dozens of other privacy laws that may apply to your website, depending on where your internet traffic comes from:
- Argentina’s Personal Data Protection Act (PDPA)
- Australia Privacy Act 1988
- Brazil’s General Data Protection Law (LGPD)
- Canada’s Personal Information Protection and Electronics Documents Act (PIPEDA)
- China’s Personal Information Protection Law (PIPL)
- New Zealand Privacy Act 2020
- Quebec’s Law 25
- South Africa Protection of Personal Information Act (POPIA)
- Thailand’s Personal Data Protection Act (PDPA)
- UK General Data Protection Regulation (UK GDPR)
- UK Data Protect Act 2018 (UK DPA 2018)
Some of these laws were inspired by the EU GDPR and outline similar rights and business obligations, but differ in significant ways, including Brazil’s LGPD and South Africa’s POPIA.
Other laws were established before the modern internet, including the Australia Privacy Act and Canada’s PIPEDA, but have been amended and updated in an effort to keep up with technological changes.
How to Comply with Privacy Laws in 2026?
Businesses often complain about the complexities of complying with privacy laws. This is a headache-inducing process that often feels time-consuming, expensive, and ongoing.
The good news is that there are easy ways to simplify some of the major aspects of meeting the requirements of these laws.
Below, I address how to simplify three of the biggest pain points:
- Privacy policy requirements
- Consent management for cookies and other trackers
- Managing privacy right requests from consumers
What Are the 2026 Privacy Policy Requirements?
Most privacy laws in some way impact or address privacy policies, sometimes referred to as privacy notifications.
In the U.S., it’s common for state-level laws to specifically require a privacy policy by name.
Otherwise, presenting website visitors with a comprehensive privacy policy helps ensure they are properly informed and able to provide adequate legal consent for any data collection or processing you want to perform.
While the details of your privacy policy may change depending on the laws that impact your business, they typically require businesses to include at least the following details:
- What personal data you collect
- How you collect the personal data
- Why you collect the personal data
- Who the personal data is shared with or sold to
- What rights users have over their data, and how to act on them
- Your site’s contact details
Every website should have an honest, up-to-date privacy policy linked at least to the footer of the site, but it’s a good idea to link it to multiple places.
Add it to your cookie consent banner, on any payment screens or account creation pages, to the footer of marketing emails, and anywhere else data collection may occur.
It’s easy to make one by using a legally backed privacy policy generator.
How Can Businesses Manage User Consent in Compliance with 2026 Privacy Laws?
Consent management is no longer optional for most businesses; it’s an essential part of legal proofing your website.
Privacy laws now heavily impact and regulate the ways business websites and consumers interact with each other.
For example, modern websites often collect, process, and use legally protected personal data from site visitors through internet cookies and other website analytics. Privacy laws outline opt-in and opt-out requirements for the use of these cookies or other trackers.
It’s also now commonplace for businesses to perform targeted advertising. Several laws address this and often provide consumers with the right to opt-out of having their data used for such purposes, primarily in the U.S.
Your website should have a consent management platform that includes a cookie banner with all applicable regional consent settings that impact your consumers.
How Can Businesses Manage Consumer Privacy Rights in 2026?
Managing consumer privacy rights is another significant hurdle businesses face due to the complexities of the legal landscape.
Individual privacy laws are enforced by separate authorities, for example, like the state Attorney General offices in the U.S.
In Europe, even though the GDPR is the single overarching regulation, it’s enforced by each member state’s established supervisory authority.
Additionally, these laws all outline similar privacy rights for consumers, and typically they may exercise these rights by submitting a request to your business at any time.
This means violating a single privacy law, especially in the U.S., could lead to a snowball-effect of noncompliance with other applicable laws.
Imagine juggling multiple investigations from several state Agencies or European supervisory authorities simply because your business is unprepared to properly respect your consumers’ privacy rights?
Adding a Data Subject Access Request form to your website can help streamline how your users submit these requests, which helps create an efficient process for receiving and responding to these legal requests.
How Does Termly Help Simplify Compliance with Privacy Laws?
Termly was made to help businesses that need to comply with privacy laws.
Our automated policy generators and consent management solutions make it easy to align your website with applicable obligations and requirements.
With Termly, you can control all of your data privacy processes in one place. That means everything from updating your privacy policy to managing your consent banner and fielding consumer DSAR submissions.
Try it out for free today!
More about the author
Written by Natasha Piirainen
Natasha is a Content Specialist with over 10 years of professional experience in research-driven content development. She graduated from Wheaton College with a degree in English and Philosophy. At Termly, she focuses on data privacy and consent management best practices and is responsible for maintaining and updating comprehensive data privacy materials.
More about the author
Reviewed by Amanda Lee Legal Operations Manager
