Which US states have comprehensive consumer privacy laws in 2026?

As of 2026, active comprehensive state privacy laws include California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Iowa (ICDPA), Indiana (INCDPA), Tennessee (TIPA), Montana (MCDPA), Texas (TDPSA), Oregon (OCPA), Florida (FDBR), Delaware (DPDPA), New Jersey (NJDPA), and New Hampshire. More states are actively enacting similar statutes; GeraCompliance tracks all live rules in the platform.

Is there a federal US privacy law?

No comprehensive federal privacy law has been enacted as of 2026. Congress has proposed APRA (American Privacy Rights Act) and earlier ADPPA. Sectoral federal laws apply — HIPAA for health, GLBA for financial, COPPA for children, FERPA for education records at institutions.

What is the NIST AI Risk Management Framework?

The NIST AI Risk Management Framework (AI RMF 1.0, 2023) is a voluntary framework that US organisations use to govern AI systems. It has four functions: Govern, Map, Measure, Manage. GeraCompliance maps your AI systems onto the RMF and generates evidence packs.

How does GeraCompliance compare with OneTrust, TrustArc, Vanta?

GeraCompliance US handles privacy (state laws + HIPAA + GLBA-adjacent) and AI governance (NIST AI RMF, NYC AEDT, California ADMT under CPRA) in a single platform. OneTrust and TrustArc are privacy-first; Vanta and Drata are SOC 2 / security-first. GeraCompliance unifies both at startup-friendly pricing.

GeraCompliance in the US 2026 — Beyond OneTrust, TrustArc, and Vanta

The US compliance landscape in 2026 is a 50-state patchwork plus sector laws plus an emerging layer of AI-specific rules. For any organisation processing personal information about US residents, the question isn't “do we need a privacy program” — it's “which combination of state and sectoral rules applies to us and what evidence do we have to produce.” GeraCompliance is built to answer that.

State consumer privacy laws — the active list

Active comprehensive state laws as of 2026:

California — CCPA (2020) amended by CPRA (effective 2023)
Virginia — VCDPA (effective 2023)
Colorado — CPA (effective 2023)
Connecticut — CTDPA (effective 2023)
Utah — UCPA (effective 2023)
Iowa — ICDPA, Indiana — INCDPA, Tennessee — TIPA
Montana — MCDPA, Oregon — OCPA, Texas — TDPSA
Florida — FDBR, Delaware — DPDPA
New Jersey — NJDPA, New Hampshire state privacy act

Each has its own nuances: applicability thresholds (revenue, consumer counts, sensitive-data processing), consumer rights (access, deletion, correction, portability, opt-out of sale/share/targeted advertising), opt-out preference signals (Global Privacy Control), data-protection assessments, and processor-contract language. Maintaining compliance manually is now impractical.

Sectoral laws still matter

HIPAA: HHS Office for Civil Rights; Privacy, Security, Breach Notification Rules.
GLBA: financial privacy and safeguards (Safeguards Rule updated by FTC in 2023).
COPPA: children under 13.
FERPA: education records at institutions.
TCPA: call/text marketing consent.
FCRA: consumer reporting (tenant screening, employment).
Wiretapping/session-recording laws: state-level; California, Illinois, Pennsylvania are two-party-consent states.

AI governance in the US

NIST AI Risk Management Framework (AI RMF 1.0, 2023): voluntary, widely adopted baseline. GeraCompliance maps systems onto Govern/Map/Measure/Manage and generates evidence.
NYC Local Law 144 — AEDT bias audit: Automated Employment Decision Tools used for hiring/promotion in NYC require annual bias audit by independent auditor and candidate notice.
Illinois AI Video Interview Act: consent and data-retention rules.
California ADMT regulations under CPRA: consumer rights around automated decision-making technology; CPPA rulemaking is live.
Colorado AI Act (2024): high-risk AI system obligations, risk management program, duty to avoid algorithmic discrimination.
Executive Order 14110 (AI) and subsequent follow-ons: federal procurement and agency duties shape the ecosystem.

SOC 2 readiness, ISO 27001, and HITRUST

GeraCompliance supports SOC 2 Type I and Type II readiness across the five Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy), ISO 27001:2022 controls, and HITRUST for healthcare-focused customers. We integrate with AWS, GCP, Azure, GitHub, GitLab, Okta, Google Workspace, and 40+ evidence sources.

US pricing

GeraCompliance Starter: $99/month (state privacy readiness + AI inventory)
GeraCompliance Growth: $499/month (adds SOC 2 readiness and NYC AEDT audit support)
GeraCompliance Enterprise: custom; full AI governance + HITRUST
OneTrust: enterprise pricing, tens of thousands+ annual
TrustArc: enterprise pricing
Vanta: $8,000–$20,000+/year for SOC 2 automation
Drata: similar band to Vanta

A SaaS, a healthcare startup, a hiring platform

An Austin SaaS company lands its first US enterprise customer who asks for SOC 2 Type II. GeraCompliance automates evidence collection from AWS and GitHub, and the company closes its audit in 4 months. A Boston health-tech startup layers HIPAA on top. A NYC-based hiring platform schedules its Local Law 144 AEDT bias audit and publishes the summary through GeraCompliance's audit-report generator.

Ecosystem

Health-data flows tie to GeraClinic HIPAA programme; browser-side privacy enforcement via GeraGuard; financial-sector GLBA integrations via GeraCash. A Gera Prime Business tier bundles the Starter plan.

Sources

NIST — AI Risk Management Framework 1.0 (2023)
California Privacy Protection Agency — CPRA regulations
NYC DCWP — Local Law 144 (AEDT) guidance
HHS OCR — HIPAA for Professionals
IAPP — US State Privacy Legislation Tracker