US state website compliance — by state
Most websites are governed by a mix of federal law and the laws of every state whose residents they reach. The overviews below summarize each state's specific website-relevant rules — privacy, cookies, accessibility, cybersecurity, anti-spam, and AI — in plain English. Each page links to the official statutes for verification.
Written for business owners and product teams. Not legal advice; consult counsel in the state for binding answers.
Published overviews (5)
More states being added monthlyCalifornia
highCalifornia has the strictest website-privacy regime in the United States — the CCPA and its successor the CPRA — plus the CalOPPA privacy-policy requirement, court-affirmed ADA accessibility liability, and an emerging AI-transparency statute. If you collect any data from California residents, you almost certainly have website obligations here.
CCPACPRACalOPPA
Colorado
highColorado has two landmark state laws affecting websites: the Colorado Privacy Act (CPA), in effect since July 2023, and the Colorado AI Act (SB 24-205), the country's first comprehensive AI regulation, effective February 1, 2026. Combined with HB 21-1110 (state accessibility law), Colorado has built one of the most comprehensive state-level digital compliance regimes outside of California.
CPAColorado AI ActHB 21-1110
Florida
mediumFlorida's primary website law is the Florida Digital Bill of Rights (FDBR), effective July 1, 2024, but its threshold is unusually high — it only applies to businesses with over $1B in global revenue that engage in specific activities. For most businesses, the more relevant Florida obligations are FIPA (data breach), Florida HB 3 (online minor protections), and federal ADA accessibility liability.
FDBRFlorida HB 3FIPA
New York
highNew York's website compliance landscape is shaped by the SHIELD Act (data security + breach notification), New York City's Local Law 144 governing automated hiring tools, a robust biometric privacy statute, and the highest volume of ADA web-accessibility lawsuits in the country. There is no comprehensive state privacy law yet, but proposed bills are pending.
SHIELD ActLocal Law 144 (NYC)NYC Biometric Privacy Law
Texas
highTexas's primary website law is the Texas Data Privacy and Security Act (TDPSA), effective July 1, 2024 — a comprehensive privacy law modeled on Virginia's VCDPA but with a notably lower applicability threshold. Texas also has one of the country's strictest biometric statutes and a 2025 AI governance law.
TDPSATexas Biometric ActTRAIGA
States being researched
We publish each state overview after a real review of the statutes, not as auto-generated content. The next batch on the editorial queue:
- Virginia
- Connecticut
- Utah
- Illinois
- Washington
- Oregon
- Iowa
- Indiana
- Tennessee
- Montana
- and 35 more
Want your state prioritized? Email hello@scantra.ai and we'll push it up.
Check your own site against the law that actually applies to it
Scantra runs a free 9-rule scan against your homepage — no account, no card — covering privacy policy, contact info, CCPA-style opt-out, security headers, accessibility, and SEO basics. Then it ranks the findings so you know which one to fix first.
Run a free scan →Important: These pages are written for general business orientation, not as legal advice. State website law changes regularly. For binding answers to your specific situation, consult a licensed attorney in the relevant state.