Does your state give you the right to force data brokers to delete your personal information? Can you find out what data companies have collected about you? Are data brokers even required to register in your state?
The answers depend entirely on where you live. The United States has no comprehensive federal privacy law — instead, privacy laws are a patchwork of state-by-state regulations that vary dramatically in what they protect, who they cover, and how they’re enforced.
This guide breaks down the current landscape of state privacy laws so you know exactly what rights you have and how to use them.
In this guide:
- States with comprehensive privacy laws
- What rights these laws give you
- California’s DELETE Act (the game-changer)
- States with data broker registration requirements
- What to do if your state has no privacy law
Regardless of where you live: You don’t need to wait for your state’s laws to protect you. Run a free Optery scan to see where your data is exposed on data broker sites — then remove it. Your privacy rights may vary by state, but your ability to opt out of data brokers doesn’t.
The Current State of US Privacy Laws
As of 2026, there is no federal privacy law that comprehensively regulates how companies collect, sell, and use your personal information. The closest things are sector-specific laws like HIPAA (healthcare) and FERPA (education) — but nothing that covers data brokers and the general sale of personal data.
That means your privacy rights depend on your state. And the difference between states is enormous — some give you powerful rights to control your data, while others provide virtually no protection at all.
States with Comprehensive Privacy Laws
These states have passed broad privacy laws that give residents specific rights over their personal data:
California (CCPA/CPRA) — The Gold Standard
California has the strongest privacy laws in the country. The California Consumer Privacy Act (CCPA), enhanced by the California Privacy Rights Act (CPRA), gives residents the right to know what data is collected about them, request deletion of their data, opt out of the sale of their personal information, and not be discriminated against for exercising these rights.
The DELETE Act and DROP Platform. California took it a step further with the DELETE Act, which created the Data Privacy Protection Agency’s DROP (Delete Request Online Portal) platform. This lets California residents send a single deletion request to every registered data broker in the state — over 500 of them — through one portal. It’s the most aggressive state-level data broker regulation in the country.
If you’re a California resident, you have powerful tools. But even with the DROP platform, automated services like Optery and Incogni provide broader coverage (including brokers not registered in California) and continuous monitoring for re-listings.
Virginia (VCDPA)
The Virginia Consumer Data Protection Act gives residents the right to access their data, request deletion, opt out of data sales and targeted advertising, and correct inaccurate data. Enforcement is through the Attorney General — there’s no private right of action (meaning you can’t sue companies directly).
Colorado (CPA)
The Colorado Privacy Act provides similar rights to Virginia — access, deletion, opt-out of sales, and correction. Colorado notably includes a universal opt-out mechanism that allows residents to signal their privacy preferences through browser settings.
Connecticut (CTDPA)
Connecticut’s Data Privacy Act gives residents rights to access, delete, correct, and opt out of data sales. It also includes protections around sensitive data categories like health information, biometric data, and precise geolocation.
Utah (UCPA)
Utah’s Consumer Privacy Act provides basic rights to access and delete data, and to opt out of sales and targeted advertising. However, it’s considered one of the more business-friendly privacy laws — with narrower definitions of what counts as a “sale” of data.
Additional States with Privacy Laws
Several other states have enacted or are implementing comprehensive privacy laws, including Texas, Oregon, Montana, Iowa, Indiana, Tennessee, Delaware, New Hampshire, New Jersey, Maryland, Minnesota, Nebraska, Kentucky, Rhode Island, and others. The specific rights and effective dates vary by state.
This list continues to grow as more states pass privacy legislation. If your state isn’t listed here, it’s worth checking for recent legislation — the landscape is changing rapidly.
What Rights Do These Privacy Laws Give You?
While the specifics vary, most state privacy laws include some combination of these rights:
Right to know. You can ask companies what personal data they’ve collected about you, where they got it, and who they’ve shared it with.
Right to delete. You can request that companies delete the personal data they’ve collected about you. This is the right most directly relevant to data broker removal — it gives your opt-out request legal teeth.
Right to opt out of sales. You can tell companies not to sell your personal information. For data brokers, whose entire business model is selling your data, this is a powerful right.
Right to correct. You can request that companies fix inaccurate data about you.
Right against discrimination. Companies can’t penalize you for exercising your privacy rights — for example, by charging you more or providing worse service.
The enforcement gap: Having rights on paper is different from having rights in practice. Most state privacy laws are enforced by the Attorney General, not by individual consumers. This means enforcement is limited by government resources and priorities. That’s one reason why proactive data broker removal (rather than waiting for enforcement) is the most effective approach.
States with Data Broker Registration Requirements
Some states have taken a different approach — instead of broad privacy laws, they require data brokers to register with the state:
Vermont was the first state to require data broker registration. Companies that buy and sell personal data must register annually with the Secretary of State, creating at least some transparency about who’s operating in this space.
California requires data brokers to register with the California Privacy Protection Agency as part of the DELETE Act framework.
Oregon, Texas, and New Jersey have also enacted data broker registration requirements with varying levels of disclosure obligations.
Registration doesn’t stop data brokers from operating — but it creates accountability and enables programs like California’s DROP platform that let residents submit deletion requests in bulk.
What If Your State Has No Privacy Law?
If you live in a state without comprehensive privacy laws, you still have options. Your privacy isn’t entirely unprotected — it’s just not protected by state legislation. Here’s what you can do:
You can still opt out of data brokers. Every major data broker site offers an opt-out process regardless of what state you live in. They do this partly because of California’s law (they can’t easily distinguish California residents from others) and partly because of public pressure. You don’t need a state law to submit opt-out requests.
Our removal guides cover the process for every major site:
- Whitepages
- Spokeo
- BeenVerified
- TruePeopleSearch
- FastPeopleSearch
- MyLife
- Radaris
- Intelius
- PeopleFinder
Full list: How to Opt Out of Data Brokers.
Use automated removal services. Services like Optery and Incogni work in every state — they submit opt-out requests to data brokers regardless of your state’s legal framework. This is the most practical approach for residents of states without strong privacy laws.
Optery — Our top recommendation. Free scan to see your exposure. Paid plans ($39-$249/year) automate removal from 350+ data broker sites with continuous monitoring. Works in every state. Read our full Optery review →
Incogni — Best budget option. Covers 180+ data brokers for $6.49/month billed annually. Works nationwide regardless of state laws. Read our full Incogni review →
Leverage federal protections. While there’s no comprehensive federal privacy law, you do have federal rights in specific areas: the Fair Credit Reporting Act (FCRA) governs credit reporting, the Health Insurance Portability and Accountability Act (HIPAA) protects health data, and the FTC can take action against deceptive and unfair data practices.
Freeze your credit. Federal law guarantees your right to free credit freezes with all three bureaus, regardless of your state. This protects against identity theft nationwide.
Support federal privacy legislation. Contact your representatives and express support for comprehensive federal privacy legislation. Until a federal law passes, the patchwork of state laws leaves most Americans with limited protections.
How to Use Your State’s Privacy Law
If you’re in a state with privacy laws, here’s how to actually use them:
Step 1: Know your rights. Check your state’s specific law to understand what rights you have — access, deletion, opt-out, correction. The rights vary significantly between states.
Step 2: Submit data access requests. Send requests to companies asking what data they’ve collected about you. Most states require companies to respond within 30-45 days.
Step 3: Submit deletion requests. Request that companies delete your personal data. For data brokers, this is essentially a legally backed opt-out request.
Step 4: Reference your state law. When submitting opt-out requests to data brokers, reference your state’s privacy law by name. This gives your request legal weight and often results in faster processing. For example: “Pursuant to the California Consumer Privacy Act (CCPA), I request the deletion of all personal information you have collected about me.”
Step 5: Use automated services for scale. Manually submitting deletion requests to 100+ data brokers is impractical even with legal backing. Optery and Incogni automate the process and leverage applicable state laws in their removal requests.
The Future of Privacy Laws
The privacy law landscape is evolving rapidly. Several trends are worth watching:
More states are passing laws every year. The number of states with comprehensive privacy laws has grown dramatically since California’s CCPA passed in 2018. The trend is clearly toward more regulation, not less.
Data broker-specific legislation is growing. California’s DELETE Act model — requiring data broker registration and enabling one-click deletion requests — is being studied and replicated by other states.
Federal legislation remains possible. The American Data Privacy and Protection Act (ADPPA) and similar proposals have had bipartisan support. A comprehensive federal law would standardize protections across all states.
Enforcement is ramping up. State attorneys general are increasingly using their enforcement powers to hold data brokers accountable. Fines and enforcement actions are becoming more common.
But waiting for legislation to catch up isn’t a privacy strategy. The most effective approach right now is proactive data broker removal — regardless of what laws your state has or doesn’t have.
Take Control of Your Privacy Today
Your state’s privacy laws may give you additional legal tools, but you don’t need to wait for legislation to protect your personal information. Data broker removal works in every state, for every person, right now.
- Run a free Optery scan — see where your personal information is exposed on data broker sites regardless of your state
- Remove your data from broker sites using Optery or Incogni — works in all 50 states
- Freeze your credit — a federal right available to everyone
- Know your state’s rights — if your state has a privacy law, use it to add legal weight to your deletion requests
- Stay informed — privacy legislation is evolving rapidly and new rights may become available in your state
Laws set the floor for your privacy. You set the ceiling.
Frequently Asked Questions
Does the US have a federal privacy law?
Not a comprehensive one. The US has sector-specific laws (HIPAA for healthcare, FERPA for education, COPPA for children) but no general federal law governing how companies collect and sell your personal data. Privacy protection currently depends on state laws, which vary dramatically.
Which state has the strongest privacy law?
California has the strongest state privacy law. The CCPA/CPRA gives residents the right to know, delete, and opt out of the sale of their data. The DELETE Act adds a one-click data broker deletion portal. No other state matches California’s comprehensive approach.
Can I remove my data from data brokers if my state has no privacy law?
Yes. Every major data broker offers opt-out processes regardless of your state. Automated services like Optery and Incogni work in all 50 states. You don’t need a state law to protect your privacy — you just need to take action.
What is California’s DELETE Act?
The DELETE Act created the DROP (Delete Request Online Portal) platform, which lets California residents send a single deletion request to every registered data broker in the state (500+). It’s the most aggressive state-level data broker regulation in the country.
Do privacy laws actually stop data brokers?
They give you legal tools to request deletion and opt out of data sales, and they create accountability through registration requirements and enforcement actions. But they don’t prevent data brokers from collecting data in the first place. Proactive removal through services like Optery or Incogni is still the most effective practical approach.
Should I reference my state’s privacy law when opting out of data brokers?
Yes, if your state has one. Referencing the specific law by name (e.g., “pursuant to the CCPA”) gives your request legal weight and often results in faster processing. Even residents of states without privacy laws can reference California’s CCPA — many data brokers apply CCPA-level protections to all users rather than building state-specific systems.
This post contains affiliate links. If you purchase through our links, we may earn a commission at no extra cost to you. See our affiliate disclosure for details.