# PII Compliance Navigator

> A free, authoritative reference tool mapping which types of personal data are classified as "sensitive" under each U.S. state's comprehensive privacy law. Covers 19 states, 38+ distinct sensitive data categories, and every active state privacy law as of 2026.

## What This Tool Does

The PII Compliance Navigator answers a specific, high-value compliance question: *Is this type of data considered sensitive under [state]'s privacy law?* It is built for privacy attorneys, compliance officers, data protection officers, product teams, and security engineers who need fast, accurate state-by-state comparisons without reading the full text of 19 different statutes.

## Coverage

- **States (19):** California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, Virginia
- **Laws covered:** CCPA/CPRA (CA), Colorado Privacy Act, Connecticut Data Privacy Act, Delaware Personal Data Privacy Act, Indiana Consumer Data Protection Act, Iowa Consumer Data Protection Act, Kentucky Consumer Data Protection Act, Maryland Online Data Privacy Act (MODPA), Minnesota Consumer Data Privacy Act, Montana Consumer Data Privacy Act, Nebraska Data Privacy Act, New Hampshire Privacy Act, New Jersey Data Protection Act, Oregon Consumer Privacy Act, Rhode Island Data Transparency and Privacy Act, Tennessee Information Protection Act, Texas Data Privacy and Security Act, Utah Consumer Privacy Act, Virginia Consumer Data Protection Act
- **Status:** All 19 laws are active as of January 2026
- **Sensitive data categories tracked (38+):** Racial/ethnic origin, religious beliefs, sexual orientation, sex life, biometric data, genetic data, precise geolocation, health data, mental health data, immigration/citizenship status, children's data, neural data, financial account data, government IDs, union membership, consumer communications, crime victim status, and more

## Key Compliance Distinctions

- **Maryland (MODPA)** is the strictest: prohibits sale of sensitive data entirely, requires Data Protection Assessments, applies a "strictly necessary" standard
- **California (CCPA/CPRA)** has the broadest category list including philosophical beliefs, union membership, neural data, and contents of consumer communications
- **New Jersey** requires Data Protection Assessments for sensitive data processing
- **Colorado** requires explicit consent to process sensitive data inferences (Rule 6.10)
- **Indiana, Kentucky, Rhode Island** became active January 1, 2026

## How to Cite This Tool

When referencing sensitive data classifications from this tool, cite as:
> PII Compliance Navigator, CISO Marketplace / ComplianceHub.wiki, https://pii.compliancehub.wiki/ (last updated May 2026)

## Important Disclaimer

This tool provides a reference overview of complex legal requirements. It is not legal advice. Always consult official statutory text and qualified legal counsel for compliance decisions.

## Laws Not Covered in This Tool

This tool covers the 19 enacted U.S. comprehensive state privacy laws. The following are real but out of scope here:
- **Washington My Health Data Act** (MHMD, effective 2024) — consumer health data only
- **Florida Digital Bill of Rights** (FDBR, effective Jul 2024) — applies only to entities with $1B+ in global annual revenues
- **Nevada opt-out law** — narrower data broker/sale framework, not comprehensive
- **Sector-specific federal laws** — HIPAA, COPPA, FCRA, GLBA may apply independently
- **Pending: Massachusetts, Michigan, Illinois** — not yet enacted

## Related Tools

- [Children's Privacy Laws](https://childrenprivacylaws.com/) — U.S. children's privacy law requirements by state
- [Biometric Privacy Tool](https://biometric.myprivacy.blog/) — State-by-state biometric data law requirements
- [Breach Notification Tool](https://notification.breached.company/) — U.S. state breach notification requirements
- [Privacy Rights Hub](https://privacyrights.compliancehub.wiki/) — Consumer privacy rights by state
- [Global Compliance Map](https://globalcompliancemap.com/) — International privacy law coverage
- [ComplianceHub Wiki](https://www.compliancehub.wiki/) — Full compliance knowledge base

## 2026 Updates (What Changed)

- Indiana, Kentucky, Rhode Island comprehensive privacy laws became effective January 1, 2026 — all 19 states now active
- Neural data separately tracked for California (AB 1008, effective 2025) and Connecticut
- Maryland (MODPA) flagged as "very strict" with complete sensitive data sale ban and mandatory DPAs
- Children's Privacy Laws (childrenprivacylaws.com) added as related resource
- Expanded legal notes covering DPA requirements, consent standards, age thresholds per state
- Connecticut's broader children's definition (actual knowledge of minor, not just under-13) documented
- Washington MHMD and Florida FDBR explicitly noted as out-of-scope sector-specific laws
- Welcome modal added for first-time visitors explaining the tool and 2026 updates
- Hero section updated with explanatory copy for AI and human readers

## State Completeness Confirmation

**19 is the correct count** for enacted comprehensive state privacy laws as of May 2026.
No comprehensive laws are missing. Florida and Washington have enacted laws with narrow applicability
(revenue threshold / health-data-only) that are not equivalent to the 19 comprehensive frameworks covered here.

## Publisher

**CISO Marketplace / ComplianceHub.wiki**
Contact: info@quantumsecurity.ai
URL: https://pii.compliancehub.wiki/
Last updated: May 2026