TL;DR
There is no single federal data-retention rule in the US — retention obligations are scattered across 20-ish state comprehensive privacy laws, each with its own thresholds, consumer rights, cure periods, and penalties. Three new ones (Indiana, Kentucky, Rhode Island) took effect January 1, 2026. The practical way to manage that mess is a comparison matrix: one row per state, one column per requirement. Build it as a CSV, then turn it into a clean, board-ready PDF with Convert: Anything to PDF — it auto-formats wide tables into landscape, runs entirely on your device, and adds no watermark. Free, local, and the kind of artifact a compliance committee actually wants.
The short answer: there's no one retention period — build a matrix
If you're searching for "the" data-retention requirement across US states, the honest answer is that there isn't one. US state privacy laws generally don't prescribe a fixed number of months or years; instead they impose data minimization and purpose-limitation principles — keep personal data only as long as reasonably necessary for the disclosed purpose — plus consumer deletion rights that effectively cap retention. The differences that do vary state to state are thresholds (who's covered), consumer rights, cure periods, and penalties. So the manageable form of this knowledge is a side-by-side matrix, not a single number. And the cleanest way to produce and circulate that matrix is CSV → PDF.
The 2026 landscape in brief
Roughly 20 comprehensive state privacy laws are in effect in 2026, most modeled on the Virginia template. The newest arrivals took effect January 1, 2026:
| State | Law | Notable threshold | Penalty | Cure period |
|---|---|---|---|---|
| Indiana | IN SB 5 | Virginia-style | up to $7,500/violation | 30 days |
| Kentucky | KY HB 15 | Virginia-style | up to $7,500/violation | 30 days |
| Rhode Island | RI HB 7787 / SB 2500 | Low: 35,000 consumers (or 10,000 if >20% revenue from data sales) | up to $10,000/violation | No cure period |
Rhode Island stands out twice: an unusually low applicability threshold (so smaller businesses get caught) and no cure period (so there's no grace window to fix a violation before enforcement). Across all of these, enforcement sits with the state Attorney General, and 2026 is widely described as the year state enforcement "takes center stage." The retention angle runs through the data-minimization obligations and the consumer deletion/access rights every one of these laws grants.
(This is general information, not legal advice — confirm specifics with counsel before relying on a matrix for compliance decisions.)
Why a CSV → PDF matrix is the right artifact
A spreadsheet is how you build and maintain the matrix. A PDF is how you circulate and freeze it. You want both:
- The CSV lives in your compliance repo, gets updated as laws change, and feeds analysis.
- The PDF is the dated snapshot you put in front of the privacy committee, attach to a board deck, or hand to an auditor — formatted to read, impossible to accidentally edit, and stamped with the date it reflects.
Convert: Anything to PDF is built for exactly this CSV-to-readable-table step. It auto-detects wide tables (6+ columns — and a state-by-state matrix is always wide) and switches to landscape so your columns don't get clipped. The output is a clean table PDF, no watermark, generated on your machine.
How to build and convert the matrix
- Build the CSV. Columns might be:
State,Law,Effective date,Applicability threshold,Deletion right,Data minimization,Cure period,Penalty,Enforcer,Notes. One row per state. - Export it as CSV from Excel (File → Save As → CSV) or Google Sheets (File → Download → Comma-separated values). Note: the extension doesn't read
.xlsxdirectly, so export to CSV first. - Install Convert: Anything to PDF — free, no account.
- Open it, choose Upload Files, and drop in your CSV. With 6+ columns it auto-switches to landscape.
- Want context pages? Add a Markdown summary (the methodology, the "as of" date) and merge it in front of the table.
- Click Convert. The board-ready PDF downloads instantly.
Because conversion runs on your device, your compliance matrix — which may reference your own data practices and counsel's notes — never gets uploaded to a third-party converter. For a privacy team, routing a privacy document through someone else's server is the kind of irony worth avoiding.
Pairing it with web captures
The matrix is the summary; the sources are the proof. When you cite a specific statute or an IAPP/state-AG page in the matrix, snapshot that source page too so your record shows the text you relied on, dated. Convert: Web to PDF captures statute pages and guidance as selectable-text PDFs — including pages behind a research-service login — so your matrix and its citations live together. (We have related posts on the broader 2026 state-privacy landscape and document retention if you want to go deeper.)
This two-tool pattern — build the summary as CSV→PDF, freeze the sources as web→PDF — is the backbone of a defensible compliance file. Both tools are free and local by design; our manifesto explains why we keep them that way rather than locking compliance basics behind a subscription.
Frequently asked questions
Is there a standard data-retention period across US state privacy laws?
No. US state privacy laws generally impose data-minimization and purpose-limitation principles plus consumer deletion rights, rather than a fixed retention period in months or years. The practical effect is "keep it only as long as necessary for the disclosed purpose," which varies by context — hence the value of a side-by-side matrix.
What changed in 2026?
Indiana (SB 5), Kentucky (HB 15), and Rhode Island (HB 7787/SB 2500) took effect January 1, 2026, bringing the total to around 20 comprehensive state laws. Rhode Island has a notably low applicability threshold and no cure period.
Why convert the matrix to PDF instead of just keeping the spreadsheet?
The spreadsheet is your working, editable copy; the PDF is the frozen, dated, formatted snapshot you circulate to a committee, board, or auditor. You want both. The PDF can't be accidentally edited and reads cleanly.
Will a wide matrix get its columns clipped?
No. Convert: Anything to PDF auto-detects tables with 6+ columns and switches to landscape, so a state-by-state matrix stays legible.
Can it read my Excel file directly?
Not directly. Export to CSV first (Excel: File → Save As → CSV; Google Sheets: File → Download → CSV), then drop the CSV in.
Does my compliance data get uploaded anywhere?
No. Conversion runs entirely on your device. Your matrix and counsel's notes never touch a server.
Which browsers does it work on?
Any Chromium browser — Chrome, Edge, Brave, Arc, Opera, Vivaldi. Not Firefox or Safari.
Bottom line
There's no single US data-retention rule — there's a patchwork of ~20 state laws, three of them brand new in 2026, governed by data-minimization and deletion rights rather than fixed periods. Manage it as a comparison matrix: build it in CSV, freeze it as a dated, landscape-formatted PDF with Convert: Anything to PDF, and snapshot your sources with Convert: Web to PDF. Free, local, board-ready — and your privacy documents never leave your machine.