19 State Privacy Laws Are Now Active: What MSPs Need to Know in 2026
State privacy laws are multiplying fast and your SMB clients are in scope. Here is the MSP guide to which laws matter, what they require, and how to turn compliance into a revenue stream.
Your Clients Are Probably Breaking a Privacy Law They Don't Know About
There are now 19 state privacy laws active in the United States as of 2026. Two years ago there were five. By next year there will be more.
Most SMBs have no idea these laws exist, let alone that they apply to them. If your client has customers in California, Texas, Virginia, Colorado, Connecticut, Maryland, or any of the other states with active privacy legislation, they have legal obligations around how they collect, store, process, and delete personal data.
This is a compliance gap that MSPs are uniquely positioned to fill. You already manage the infrastructure where this data lives. Here is everything you need to know about the current landscape, which clients are at risk, and how to package this as a service.
The Current State Privacy Law Map
As of May 2026, these states have active comprehensive privacy laws:
| State | Law | Effective Date | Key Threshold |
|---|---|---|---|
| California | CCPA/CPRA | Jan 2020 / Jan 2023 | $25M revenue OR 100K consumers' data |
| Virginia | VCDPA | Jan 2023 | 100K consumers OR 25K+ with 50% revenue from data sales |
| Colorado | CPA | Jul 2023 | 100K consumers OR 25K with revenue from data sales |
| Connecticut | CTDPA | Jul 2023 | 100K consumers OR 25K with 25% revenue from data sales |
| Utah | UCPA | Dec 2023 | $25M revenue AND 100K consumers |
| Iowa | ICDPA | Jan 2025 | 100K consumers OR 25K with 50% revenue from data sales |
| Indiana | INCDPA | Jan 2026 | 100K consumers OR 25K with 50% revenue from data sales |
| Tennessee | TIPA | Jul 2025 | $25M revenue AND 175K consumers |
| Montana | MCDPA | Oct 2024 | 50K consumers |
| Texas | TDPSA | Jul 2024 | Conducts business in TX and processes personal data (no revenue threshold) |
| Oregon | OCPA | Jul 2024 | 100K consumers OR 25K with 25% revenue from data sales |
| Delaware | DPDPA | Jan 2025 | 35K consumers OR 10K with revenue from data sales |
| New Hampshire | NHPA | Jan 2025 | 35K consumers OR 10K with revenue from data sales |
| New Jersey | NJDPA | Jan 2025 | 100K consumers OR 25K with revenue from data sales |
| Nebraska | NDPA | Jan 2025 | Processes personal data (no threshold) |
| Maryland | MODPA | Oct 2025 (enforcement Apr 2026) | 35K consumers OR 10K with 20% revenue from data sales |
| Minnesota | MCDPA | Jul 2025 | 100K consumers OR 25K with 25% revenue from data sales |
| Kentucky | KCDPA | Jan 2026 | 100K consumers OR 25K with 50% revenue from data sales |
| Rhode Island | RIDPA | Jan 2026 | 35K consumers OR 10K with revenue from data sales |
Notice the trend: thresholds are getting lower. Texas and Nebraska have no revenue threshold at all — if you process personal data of their residents, you are in scope. Maryland's threshold is just 35,000 consumers. A mid-size e-commerce company, medical practice, or professional services firm easily hits these numbers.
Why This Matters for MSPs
Your Clients Do Not Know They Are In Scope
Most SMBs think privacy laws only apply to big tech companies. They are wrong. A 50-person healthcare practice in Utah with patients from multiple states is subject to HIPAA and the privacy laws of every state where their patients reside. A regional e-commerce company shipping to 20 states could be subject to a dozen different privacy requirements.
The Data Lives on Infrastructure You Manage
Customer databases, email lists, CRM systems, file shares, cloud storage, backup systems — you manage the infrastructure where personal data is stored and processed. You are already the custodian of this data. The question is whether you are helping your clients handle it legally.
Penalties Are Real
- **California:** Up to $7,500 per intentional violation
- **Texas:** Up to $25,000 per violation
- **Maryland:** Up to $10,000 first violation, $25,000 subsequent
- **Most states:** Attorney General enforcement with civil penalties
A single data breach involving personal data from a state with an active privacy law can trigger notification requirements, regulatory investigation, and fines — on top of the breach response costs.
What The Laws Actually Require
Despite being different laws from different states, they converge on a common set of requirements:
1. Data Inventory and Mapping
What it means: Know what personal data you collect, where it is stored, who has access, and how it flows through the organization.
MSP action: This is asset discovery and data classification. You already have the tools — RMM, M365 integration, network scanning. Map which systems contain personal data (CRM, email, file shares, databases, backups) and document the data flows.
2. Consumer Rights
What it means: Consumers can request to see their data, correct it, delete it, and opt out of its sale or use for targeted advertising.
MSP action: Your clients need a process to handle these requests within the legally required timeframe (usually 30-45 days). This means knowing where all of a consumer's data lives across all systems — which requires the data inventory from step 1.
3. Data Protection Assessments
What it means: Organizations processing sensitive data or engaging in high-risk activities (targeted advertising, profiling, selling data) must conduct formal risk assessments.
MSP action: This maps directly to the risk assessment and compliance workflows you would run through a GRC platform. Document the assessment, identify risks, implement controls, and keep evidence.
4. Security Requirements
What it means: Implement "reasonable" administrative, technical, and physical security measures appropriate to the data being processed.
MSP action: This is your core business. MFA, encryption, access controls, patch management, backup, endpoint protection — the same controls you implement for cyber insurance and HIPAA. The privacy laws just extend the same requirements to personal data beyond healthcare.
5. Breach Notification
What it means: Notify affected consumers and the state attorney general within a specified timeframe (varies by state, typically 30-60 days) if personal data is compromised.
MSP action: You need an incident response plan that accounts for multi-state notification requirements. A breach affecting residents of 5 different states means 5 different notification processes with different timelines and content requirements.
6. Data Minimization
What it means: Only collect personal data that is reasonably necessary for the stated purpose. Maryland's MODPA is particularly strict on this — it prohibits processing data in ways that could harm consumers.
MSP action: Help clients audit what data they actually collect vs. what they need. Many SMBs collect far more data than necessary simply because their forms ask for it or their defaults are overly broad.
Which of Your Clients Are At Risk?
Run through this checklist for each client:
High risk — act now:
- Healthcare (already under HIPAA, now also state privacy)
- E-commerce (customers in multiple states)
- Financial services (sensitive financial data)
- Legal firms (client data across jurisdictions)
- Any client with a customer-facing website collecting form data
Medium risk — assess soon:
- Professional services with clients in multiple states
- Real estate companies (transaction data, financial data)
- Staffing and HR companies (employee personal data)
- Marketing agencies (handling client customer data)
Lower risk (but not zero):
- Local-only businesses with no online presence
- B2B companies with limited consumer data
- Companies with fewer than 35K consumer records
How to Sell This as a Service
The Conversation Starter
> "Quick question — do you know how many states your customers live in? Because if the answer is more than one, there is a good chance you have data privacy obligations you are not meeting. Nineteen states now have active privacy laws with real penalties. I would like to run a quick assessment to see where you stand."
Service Packages
| Service | What You Deliver | Pricing |
|---|---|---|
| **Privacy Risk Assessment** | Identify which laws apply, data inventory, gap analysis | $2,000-$5,000 |
| **Privacy Program Setup** | Policies, procedures, data mapping, consumer rights process | $5,000-$10,000 |
| **Ongoing Privacy Monitoring** | Continuous compliance tracking, policy updates, new law alerts | $300-$500/month |
| **Breach Response Readiness** | Multi-state notification plan, templates, tabletop exercise | $2,000-$4,000 |
| **Data Protection Assessment** | Formal risk assessment for high-risk processing activities | $3,000-$6,000 |
Revenue Opportunity
If you manage 20 SMB clients and half of them need privacy compliance services:
- 10 clients x $3,500 assessment = **$35,000 project revenue**
- 10 clients x $400/month ongoing monitoring = **$48,000 annual recurring revenue**
That is $83,000 in new revenue from a compliance area most MSPs are not touching yet.
Practical Steps for MSPs
Start This Month
1. **Audit your own client base.** For each client, list the states where their customers reside. Any client with customers in 3+ states almost certainly has privacy obligations.
2. **Pick your top 5 highest-risk clients.** Healthcare, e-commerce, financial services — start there.
3. **Send them the conversation starter email.** Frame it as a heads-up, not a sales pitch.
4. **Run the privacy risk assessment.** Identify which laws apply, what data they collect, where it lives, and what gaps exist.
Build Over Time
5. **Develop a standard privacy package.** One set of policies and procedures calibrated to the most stringent state requirements (currently Maryland MODPA and California CPRA). This covers all other states automatically.
6. **Integrate privacy monitoring into your existing compliance workflow.** If you are already tracking HIPAA or SOC 2 controls, privacy controls overlay naturally. The security requirements are nearly identical — you are extending coverage, not starting from scratch.
7. **Stay current.** New state privacy laws are being enacted every legislative session. Subscribe to the IAPP (International Association of Privacy Professionals) newsletter for updates.
The MSP Advantage
Here is why MSPs win in this space:
1. **You already manage the infrastructure.** The data subject to these laws lives on systems you control.
2. **The security controls overlap.** MFA, encryption, access controls, patch management — you are already implementing these for other compliance frameworks. Privacy just adds data-specific requirements on top.
3. **Your clients trust you.** They already rely on you for security. Privacy is a natural extension of that trust.
4. **Consultants are expensive.** A privacy consultant charges $200-$400/hour. You can deliver the same outcomes at a lower cost because you already understand the client's infrastructure.
5. **It is recurring revenue.** Privacy is not a one-time project. Laws change, data flows change, consumer rights requests come in. Ongoing monitoring is the natural engagement model.
The MSPs who move on this now — while most are still ignoring state privacy laws — will own the client relationship for years. By the time competitors catch up, you will have the processes, tooling, and track record already in place.
*Need to track privacy compliance across your client portfolio? Start your free trial of Nuronus — map compliance requirements, run gap assessments, and generate audit-ready documentation for HIPAA, SOC 2, PCI DSS, and more from a single dashboard.*
#DataPrivacy #StatePrivacyLaws #CCPA #CPRA #TDPSA #MODPA #MSP #ManagedServiceProvider #PrivacyCompliance #DataProtection #SMBCompliance #ComplianceForMSPs #GRC #PrivacyLaw2026 #ConsumerPrivacy #DataMinimization
Ready to Add Compliance Services to Your MSP?
Start your 14-day free trial and see how Nuronus makes compliance management simple.
Start Free TrialNuronus Team
MSP Compliance Experts