Which privacy laws apply to my company in 2026?
The applicability logic, in order
First, extraterritorial regimes: GDPR (EU/EEA residents), UK GDPR, China's PIPL, Brazil's LGPD — these bind you based on whose data you touch. A Delaware SaaS company with German users answers to GDPR with a €20M/4% ceiling.
Second, US state laws where you meet thresholds: most follow the Virginia pattern (control/process data of 100,000+ state residents, or 25,000+ plus a revenue share from data sales), but the numbers vary — California adds employee and B2B data, Texas applies to any company that isn't a small business under SBA definitions and processes personal data, and Rhode Island's thresholds are much lower than most.
Third, sector overlays on top of the comprehensive laws: HIPAA for health data, GLBA for financial data, COPPA for children, state biometric laws (Illinois BIPA remains the litigation engine), and the new wave of state health-data laws following Washington's My Health My Data.
What changed for 2026
Indiana, Kentucky, and Rhode Island took effect January 1, 2026, bringing the count of comprehensive state privacy laws in force to twenty. Cure periods keep shrinking as laws mature — several states' cure windows have sunset — and Rhode Island launched with none at all: its attorney general can pursue violations from day one.
Enforcement is also professionalizing: California's CPPA issues its own fines, and multi-state coordinated inquiries are now routine. The practical consequence: applicability analysis has to be re-run whenever your user footprint grows into a new state or your data-sales revenue mix shifts — thresholds you were under last year may bind you this year.
Doing the check without a $40k platform
For a specific jurisdiction, our /api/comply/privacy endpoint ($0.15) returns the governing law, regulator, obligations, data-subject rights, breach-notification clocks, transfer mechanisms, and penalty ceilings — 145+ jurisdictions covered, with a business-context parameter so a fintech gets the fintech answer.
For the whole map at once, /api/comply/scan ($1.50) takes your company profile — country, sector, size, activity flags like personal-data and eu-sales — and returns every major regime that applies, ranked by urgency, each with current deadlines and primary sources. That is the question every GRC platform starts its five-figure engagement with.
GET https://compliancepulse.theaslangroupllc.com/api/comply/privacy — x402 pay-per-query, no API key. See llms.txt.FAQ
Does GDPR apply if my company has no EU office?
Yes, if you offer goods or services to people in the EU or monitor their behaviour — applicability follows the data subjects, not your corporate registration.
Which US states have privacy laws in force in 2026?
Twenty comprehensive laws are in effect during 2026; the January 2026 additions are Indiana, Kentucky, and Rhode Island. California, Texas, Colorado, Virginia, Connecticut and others carry the most enforcement activity.
What makes Rhode Island's law unusual?
No right-to-cure period, penalties up to $10,000 per violation, and low applicability thresholds (35,000 consumers, or 10,000 with 20%+ revenue from data sales).
Is there a US federal privacy law?
No comprehensive one — sector laws (HIPAA, GLBA, COPPA) plus FTC enforcement fill the gap, and state laws do the comprehensive work.