The United States has no single federal privacy law for consumer data — instead, a growing patchwork of state laws now governs how marketers collect, use, and share consumer information. For B2C marketers, this patchwork is the defining compliance challenge of the era. This article explains the major state privacy laws, what rights they grant consumers, and what they require of marketers using consumer data.

The state privacy law landscape

As of 2026, a substantial and growing number of US states have enacted comprehensive consumer privacy laws. The most influential include: California (CCPA, expanded by CPRA) — the first and most influential. The California Consumer Privacy Act, strengthened by the California Privacy Rights Act, grants consumers rights to know, delete, correct, and opt out of the sale or sharing of their personal information, plus the right to limit use of sensitive data. Virginia (CDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA) — and a steadily expanding roster of other states — followed with their own comprehensive laws. They share a common core of consumer rights while differing in thresholds, definitions, and specific obligations.   The shared core across these laws: consumers can access the data held about them, request its deletion, correct inaccuracies, and opt out of having their data sold or used for targeted advertising. Businesses must provide privacy notices, honor these requests within set timeframes, and in many cases honor universal opt-out signals. For marketers, the practical effect is that consumer data now comes with consumer rights attached — and using that data legally means being able to honor those rights.

Common questions

Do these laws ban B2C marketing?

No. State privacy laws don’t prohibit consumer marketing — they regulate how consumer data is collected, used, and shared, and grant consumers rights over their information. You can still market to consumers; you must do so while respecting their rights to access, delete, correct, and opt out of their data being sold or used for targeted advertising. The laws constrain data practices, not marketing itself.

What rights do these laws give consumers?

A common core: the right to know what personal data a business collects and how it’s used; the right to delete their data; the right to correct inaccurate data; the right to opt out of the sale or sharing of their data; and the right to opt out of targeted advertising. California adds the right to limit use of sensitive personal information. Marketers must be able to honor each of these when a consumer exercises them, typically within 45 days.

What counts as “selling” or “sharing” data?

This is where many marketers get caught. Under CCPA/CPRA, “sale” is defined broadly — it can include disclosing personal data to third parties for valuable consideration, not just direct cash sales of lists. “Sharing” specifically covers disclosing data for cross-context behavioral advertising. Many common marketing data practices may qualify as sale or sharing under these broad definitions, triggering the consumer’s right to opt out. The definitions are broad enough that you should assume data exchanges may qualify and handle them accordingly. Consult a lawyer for your specific practices.

Which state’s law applies to my campaign?

The law of the state where each consumer resides. If you market to consumers in California, California’s law applies to those consumers; Virginia residents get Virginia’s protections, and so on. For multi-state campaigns, you must apply each applicable state’s law to that state’s residents — or, more practically, apply the strictest common standard across your whole program to ensure compliance everywhere. Knowing where your consumers reside is therefore essential.

What do I have to do to comply?

Core obligations: maintain a clear privacy notice explaining what data you collect and how it’s used; provide mechanisms for consumers to exercise their rights (access, deletion, correction, opt-out); honor those requests within the required timeframe; honor opt-out-of-sale and universal opt-out signals; and document where your consumer data came from and what consent was obtained. Working with data vendors, you also need their cooperation in honoring downstream rights requests.

How do these laws affect buying consumer data?

They raise the bar on sourcing and documentation. Consumer data you buy must come with provenance you can stand behind — where it was collected, what consent was given — because you may need to honor access and deletion requests for it, and demonstrate lawful sourcing if challenged. Data with murky origins becomes a liability under these laws. This makes vendor due diligence and opt-in documentation more important than ever.

What are the penalties for non-compliance?

They vary by state but are meaningful. California’s CCPA/CPRA allows civil penalties per violation (higher for violations involving minors) and, in some cases, a private right of action for data breaches. Other states’ penalties are typically enforced by state attorneys general with per-violation fines. Multiplied across many affected consumers, penalties add up quickly. Beyond fines, non-compliance carries reputational and operational costs. This is general information, not legal advice — consult an attorney about your specific exposure.

How this applies to your business

The practical foundation is knowing your data’s provenance and your consumers’ locations. You can’t honor a deletion request for data you can’t trace, and you can’t apply the right state’s law to a consumer whose location you don’t know. Maintaining clear records of where consumer data came from, what consent attached to it, and where each consumer resides is the operational backbone of compliance. Build the consumer-rights mechanisms before you need them. A privacy notice, a way for consumers to submit access and deletion requests, a process to honor them within deadline, and suppression for consumers who opt out — these need to exist as standing infrastructure, not scrambled-together responses when the first request arrives. Many marketers discover their compliance gaps only when a request comes in; build ahead of that. Choose data vendors who support compliance, because their practices become your exposure. Vendors with documented opt-in provenance, suppression handling, and willingness to cooperate on downstream rights requests reduce your risk; vendors with murky sourcing increase it. As the patchwork of state laws keeps growing, vendor compliance discipline matters more each year. This article is general guidance; consult a qualified privacy attorney for your specific obligations. Iscope Digital’s B2C Email & Postal Data service maintains documented compliance with CCPA, CPRA, Virginia CDPA, Colorado CPA, and Connecticut CTDPA, with source-level provenance and suppression honored at the source. For the federal email layer beneath these state laws, see Is B2C email marketing still legal in the US? and on the consent foundation, What is opt-in consumer data and how do you verify it?