The reality for residents of these 29 states
If you live in one of the 29 states without a comprehensive data privacy law, you cannot compel most businesses to give you access to your data, delete it, or stop selling it under your state's own law. You have no state-level right to opt out of targeted advertising or profiling.
That does not mean you are unprotected. Every one of these states has a data breach notification statute — companies must tell you if your personal information is compromised. Most have consumer protection statutes (UDAP laws) that prohibit deceptive practices. And critically, federal law and the laws of other states (especially California) extend rights that reach across state lines.
Laws taking effect in 2027
- Alabama — Alabama Personal Data Protection Act (APDPA), enacted April 2026, effective May 1, 2027. Standard Virginia-model rights (access, delete, correct, opt out of sale/targeting/profiling). Low threshold: 25,000+ consumers.
- Louisiana — Louisiana Data Privacy Act (LDPA), enacted 2026 Regular Session, effective January 1, 2027. Comprehensive access/delete/opt-out rights.
- Oklahoma — Oklahoma Consumer Data Privacy Act (OCDPA), enacted 2026, effective January 1, 2027.
All 29 states + D.C.
The table below shows each state's breach notification law and any notable special protections beyond the baseline. Every state listed has no comprehensive privacy law in effect as of 2026.
| State | Breach notification | Special protections | Upcoming law |
|---|---|---|---|
| Alabama | Data Breach Notification Act (2018) | App-store age verification (2026) | APDPA effective May 2027 |
| Alaska | Personal Information Protection Act | Address confidentiality (DV survivors) | Bills introduced, none enacted |
| Arizona | Ariz. Rev. Stat. § 18-552 | Address confidentiality (DV/stalking survivors) | None enacted |
| D.C. | Security Breach Protection Act | — | Bills proposed, not enacted |
| Georgia | Ga. Code Ann. § 10-1-910 | Address confidentiality program | Bills introduced, none enacted |
| Hawaii | Haw. Rev. Stat. § 487N | Student data privacy protections | Bills considered, none enacted |
| Idaho | Idaho Code § 28-51-104 | Address confidentiality (DV survivors) | None enacted |
| Illinois | Personal Information Protection Act | BIPA (biometric privacy, private right of action); SOPPA (student data); Genetic Information Privacy Act | Comprehensive bill in committee |
| Kansas | Kan. Stat. Ann. § 50-7a01 | Address confidentiality program | None enacted |
| Louisiana | Database Security Breach Notification Law | Address protection for officials | LDPA effective Jan 2027 |
| Maine | Notice of Risk to Personal Data Act | ISP privacy law (restricts ISP data use) | None enacted |
| Massachusetts | Data security regulations (201 CMR 17.00) | Strong data-security rules; broad consumer protection (private right of action) | Actively debated, not enacted |
| Michigan | Identity Theft Protection Act | Minors' online safety considered | Bills introduced, none enacted |
| Mississippi | Miss. Code Ann. § 75-24-29 | Address confidentiality program | None enacted |
| Missouri | Mo. Rev. Stat. § 407.1500 | Address protection for judicial officers | Bills moving, none enacted |
| Nevada | NRS 603A breach notification | Online sale opt-out (SB 220); Consumer health data law (SB 370) | None enacted |
| New Mexico | Data Breach Notification Act | Address confidentiality program | Bills introduced, none enacted |
| New York | SHIELD Act (data security + breach) | Child Data Protection Act (2025); strong UDAP | NY Privacy Act pending |
| North Carolina | Identity Theft Protection Act | Free security freezes | Bills introduced, none enacted |
| North Dakota | N.D. Cent. Code § 51-30 | — | None enacted |
| Ohio | Ohio Rev. Code § 1349.19 | Data Protection Act safe harbor | Personal Privacy Act reintroduced |
| Oklahoma | Security Breach Notification Act | Address confidentiality program | OCDPA effective Jan 2027 |
| Pennsylvania | Breach of Personal Information Notification Act | Address confidentiality program | Consumer Data Privacy Act introduced |
| South Carolina | S.C. Code Ann. § 39-1-90 | Judicial/LE Personal Privacy Protection Act (2026) | None enacted |
| South Dakota | S.D. Codified Laws § 22-40-19 | Address confidentiality program | None enacted |
| Vermont | Breach notification statute | Data broker registration law (nation's first); Minors' Age-Appropriate Design Code | Two comprehensive bills vetoed (2024, 2026) |
| Washington | RCW 19.255.010 breach notification | My Health My Data Act (consumer health data); biometric law (RCW 19.375) | WA Privacy Act repeatedly failed |
| West Virginia | W.Va. Code § 46A-2A-101 | Daniel's Law-style address protection | None enacted |
| Wisconsin | Wis. Stat. § 134.98 | Judicial privacy (Wis. Stat. § 757.07) | WI Data Privacy Act introduced |
| Wyoming | Wyo. Stat. Ann. § 40-12-501 | Address confidentiality program | Bills introduced, none enacted |
Data as of June 2026. "Upcoming law" column reflects legislation enacted but not yet effective, or active legislative efforts. Sources: IAPP US State Privacy Legislation Tracker, individual state AG offices, and the statutes cited.
State law does not have to be your only protection. A free scan shows which data brokers have your personal information — and a removal service files opt-outs on your behalf using federal and cross-state rights.
Check your exposure free →What you can still do
Living in a state without a comprehensive privacy law does not mean you have no recourse. Here are the practical steps that work regardless of where you live.
Use California's CCPA against national brokers
Most large data brokers meet California's CCPA thresholds (annual revenue over $25 million, or selling data of 100,000+ consumers). These businesses are required to honor deletion and opt-out requests from any consumer whose data they hold. You do not need to be a California resident to submit a request — though the broker is technically only obligated to honor it under CCPA if you are. In practice, most national brokers process requests from all states because it is simpler than geographic filtering.
Enable Global Privacy Control (GPC)
The Global Privacy Control is a browser-level signal that tells websites you do not want your data sold or shared. California law requires CCPA-covered businesses to honor it. Colorado mandates it for CPA-covered businesses. Major browsers (Firefox, Brave, DuckDuckGo) support it natively; others via extensions. Enabling GPC is a 30-second action that creates a persistent opt-out signal across every covered site you visit.
Submit direct opt-out requests
Every legitimate data broker offers an opt-out process, regardless of whether your state requires it. The process varies by broker — some use a simple web form, others require identity verification by email or mail. The challenge is volume: the average American appears on 30-40 broker sites. A removal service automates this across hundreds of brokers and handles re-filing when data reappears.
Use California DROP (California residents only)
If you live in California, the DELETE Request and Opt-out Platform (DROP) went live January 1, 2026. It lets you submit a single free deletion request covering all registered data brokers (approximately 500-545 as of early 2026). Brokers must process requests every 45 days starting August 1, 2026. DROP only covers California-registered brokers and California residents.
File complaints under existing state law
Even without a comprehensive privacy law, your state's attorney general can pursue deceptive-practice claims against businesses that misrepresent their data handling. If a company's privacy policy says it will honor deletion requests and then ignores them, that is potentially a UDAP violation in every state. File complaints with your state AG's consumer protection division.
Frequently asked questions
Which states have no data privacy law?
As of 2026, 29 states plus D.C. have no comprehensive data privacy law in effect: Alabama, Alaska, Arizona, D.C., Georgia, Hawaii, Idaho, Illinois, Kansas, Louisiana, Maine, Massachusetts, Michigan, Mississippi, Missouri, Nevada, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Pennsylvania, South Carolina, South Dakota, Vermont, Washington, West Virginia, Wisconsin, and Wyoming. Three of these (Alabama, Louisiana, Oklahoma) have enacted laws taking effect in 2027. All have breach-notification laws.
Can I still get my data removed from brokers?
Yes. Most national data brokers are covered by California's CCPA regardless of where you live. You can submit opt-out and deletion requests to CCPA-covered brokers from any state. You can also enable the Global Privacy Control in your browser, which California and Colorado require businesses to honor. A data removal service handles this process across hundreds of brokers automatically and re-files when your data reappears.
What protections do I have without a comprehensive privacy law?
Every state has a data breach notification law. Most have consumer protection statutes that prohibit deceptive practices. Some states have additional protections: Illinois has BIPA (biometric privacy), Massachusetts has strong data-security rules, Washington has the My Health My Data Act, and Vermont has a data-broker registration law. What you lack is the right to compel businesses to give you access to, delete, or stop selling your data under your own state's law.
See your exposure, regardless of state law
A free scan shows which data brokers have your personal information. Removal works under federal and cross-state rights — you do not need a state privacy law to get started.
Run a free scan →Sources
- IAPP, US State Privacy Legislation Tracker — iapp.org
- California Consumer Privacy Act (CCPA/CPRA), Cal. Civ. Code § 1798.100 et seq.
- California DELETE Act and DROP platform — cppa.ca.gov
- Global Privacy Control specification — globalprivacycontrol.org
- Individual state statutes cited in the table above (verified against official state code databases and AG websites)