Privacy law is state law in America. Every state sets different rules, penalties, and response windows. Shield navigates them all so you don't have to — here's where we operate and what your state gives you.
Each state has its own privacy law, enforcement authority, and consumer protections. Shield handles the legal mechanics — you just need to know which state you reside in.
Five more state privacy frameworks are in active expansion planning. Join the waitlist for your state — you'll get founding-member pricing when Shield activates there.
Privacy rights vary by state. This is what changes when you cross state lines.
| Right / Feature | California | Texas | Virginia | Colorado | Oregon |
|---|---|---|---|---|---|
| Right to Delete | Yes (45d) | Yes (45d) | Yes (45d) | Yes (45d) | Yes (45d) |
| Centralized Delete Registry | DROP (Aug 2026) | No | No | No | No |
| Authorized Agent Framework | Full | Opt-out signals only | Not codified | UOOM required | Full (opt-out) |
| Universal Opt-Out (GPC) | Required | Required (Jan 2025) | Not required | Required (July 2024) | Required (Jan 2026) |
| Max Civil Penalty | $7,500 intentional | $7,500 per violation | $7,500 intentional | $20,000 per violation | $7,500 + fees |
| Cure Period Status | Removed 2023 | 30 days (active) | 30 days (permanent) | Expired Jan 2025 | Expired Jan 2026 |
| Private Right of Action | Breach only | No | No | No | No |
| Enforcement Authority | CPPA (agency) | AG only | AG only | AG + DA | AG only |
| Third-Party List Right | Categories | Categories | Categories | Categories | Specific parties |
| Data Protection Assessments | Required (certain) | Not required | Required (high-risk) | Required (high-risk) | Required (high-risk) |
Not all state privacy laws are equal. When evaluating whether your state gives you meaningful privacy rights, five criteria matter most:
Every state privacy law includes a right to delete, but enforcement varies wildly. California, Texas, Virginia, Colorado, and Oregon all require controllers to respond within 45 days. States without privacy laws (about 30 total) have no such framework — you rely on the broker's voluntary compliance.
This determines whether you can use a service like ClickOff to submit requests on your behalf. California and Oregon have full frameworks. Texas recognizes opt-out signals only. Colorado requires UOOM but not formal agent appointments. Virginia has no explicit codification — brokers voluntarily honor agent submissions.
Universal opt-out mechanisms like Global Privacy Control let you broadcast your preference to every covered website automatically. California, Colorado, Oregon, Montana, Delaware, and Connecticut require controllers to honor GPC. Texas recognizes it for opt-out-signal agents. Virginia, Iowa, and Utah don't require it.
Most state privacy laws restrict enforcement to the Attorney General, meaning individual lawsuits are typically not possible. Colorado is unique in allowing both the AG and District Attorneys to enforce. California has a dedicated privacy agency (the CPPA). Penalties range from $5,000 (Connecticut) to $20,000 (Colorado) per violation.
Many state laws originally included "cure periods" — grace windows where businesses could fix violations before facing penalties. These are expiring: Colorado's expired January 2025, Oregon's expired January 2026. Texas and Virginia's remain active. California's was removed in 2023. Expired cure periods mean immediate enforcement, which is significantly stronger for consumers.
Monthly updates on state privacy law expansion, Shield activation dates, and enforcement developments across the country.