State Privacy Laws: A Guide to the Patchwork

The Absence of a Federal Privacy Law

The United States remains one of the few major economies without a comprehensive federal data privacy law. While sector-specific statutes exist (HIPAA for health data, GLBA for financial data, COPPA for children's data, FERPA for education records), there is no general-purpose federal law governing how businesses collect, use, and share personal information. Organizations operating internationally must also navigate regulations like the GDPR, making a unified global privacy strategy essential.

This vacuum has produced a state-by-state approach. California led the way with the California Consumer Privacy Act (CCPA) in 2018, and since then more than 19 states have enacted comprehensive privacy legislation, with additional states introducing bills every legislative session. For businesses operating across state lines, which includes virtually every company with a website, the result is a patchwork of overlapping and sometimes conflicting obligations.

The American Privacy Rights Act (APRA) made progress in Congress in 2024 and 2025 but has not passed into law. Until a federal standard emerges, multi-state compliance is the reality. Organizations that wait for federal preemption are accumulating risk with every new state law that takes effect.

CCPA/CPRA: The De Facto Benchmark

California's privacy framework, consisting of the original CCPA (2020) and the California Privacy Rights Act amendments (CPRA, effective January 2023), remains the most comprehensive and most enforced state privacy law. It serves as the benchmark against which all other state laws are compared.

Key provisions of CCPA/CPRA:

• Right to know: Consumers can request disclosure of the categories and specific pieces of personal information a business has collected about them.
• Right to delete: Consumers can request deletion of their personal information, with defined exceptions.
• Right to opt out of sale or sharing: Businesses must honor opt-out requests and provide a "Do Not Sell or Share My Personal Information" link.
• Right to correct: Consumers can request correction of inaccurate personal information.
• Right to limit use of sensitive personal information: Consumers can restrict how businesses use sensitive data such as Social Security numbers, financial accounts, precise geolocation, and health information.
• Private right of action: Consumers can sue businesses directly for data breaches involving unencrypted or unredacted personal information (limited to breach scenarios).

CCPA/CPRA applies to for-profit businesses that do business in California and meet any of three thresholds: annual gross revenue over $25 million, buying/selling/sharing the personal information of 100,000 or more consumers or households, or deriving 50% or more of annual revenue from selling or sharing personal information.

The California Privacy Protection Agency (CPPA) is the dedicated enforcement body, the first of its kind at the state level. The CPPA has rulemaking authority and has been actively issuing regulations on topics including automated decision-making, cybersecurity audits, and risk assessments.

For a deeper look at CCPA compliance, see our CCPA service page.

Key Provisions Most State Laws Share

Despite their differences, state privacy laws converge on a core set of consumer rights and business obligations. Understanding these common threads makes multi-state compliance more manageable.

Consumer rights that appear in nearly every enacted state law:

• Right to access: Know what personal data a business has collected.
• Right to delete: Request deletion of personal data.
• Right to opt out of sale: Decline the sale of personal data to third parties. Most states extend this to targeted advertising and, in some cases, profiling.
• Right to data portability: Obtain a copy of personal data in a portable, machine-readable format.
• Right to non-discrimination: Businesses cannot retaliate against consumers who exercise their privacy rights.

Business obligations common across most state laws:

• Privacy notice: A clear, accessible privacy policy disclosing data collection practices, consumer rights, and how to exercise them.
• Data protection assessments: Required for high-risk processing activities such as targeted advertising, sale of personal data, profiling, and processing of sensitive data.
• Contractual requirements: Businesses must have data processing agreements with service providers and contractors that limit how those parties use consumer data.
• Universal opt-out mechanisms: An increasing number of states require businesses to honor Global Privacy Control (GPC) or similar browser-based opt-out signals.
• Sensitive data protections: Most states require opt-in consent before processing sensitive data, which typically includes racial or ethnic origin, religious beliefs, health data, biometric data, precise geolocation, and data concerning minors.

Notable Differences: Virginia, Colorado, Connecticut, and Texas

While the broad strokes are similar, the details diverge in ways that matter for compliance programs.

Virginia (VCDPA, effective January 2023): Virginia was the second state to pass a comprehensive privacy law. It follows an opt-out consent model similar to CCPA but has a narrower scope: it applies to businesses that control or process personal data of at least 100,000 Virginia consumers, or 25,000 consumers if 50% or more of gross revenue comes from the sale of personal data. Virginia does not include a private right of action; enforcement rests solely with the Attorney General. A notable difference: Virginia requires opt-in consent for sensitive data processing, while CCPA/CPRA allows consumers to limit use after collection.

Colorado (CPA, effective July 2023): Colorado's law closely mirrors Virginia's consumer rights framework but adds a distinctive requirement for a universal opt-out mechanism. Businesses must recognize and honor authenticated opt-out signals (such as Global Privacy Control) by July 2024. Colorado also requires a 60-day cure period for violations through January 2025, after which the Attorney General has discretion on whether to offer a cure opportunity. Colorado's data protection assessment requirements are among the most detailed, requiring documentation of processing purposes, benefits, and risks for each high-risk activity.

Connecticut (CTDPA, effective July 2023): Connecticut's law is often described as a hybrid of Virginia and Colorado. It requires recognition of universal opt-out mechanisms and includes consumer rights aligned with both states. Connecticut included an initial cure period that expired in December 2024, transitioning to discretionary enforcement. One distinctive feature: Connecticut explicitly extends its protections to minors aged 13-15 with a form of enhanced opt-in requirement for targeted advertising.

Texas (TDPSA, effective July 2024): Texas stands out for its broad applicability. Unlike most other states, Texas has no revenue threshold and no minimum consumer count for general applicability; the law applies to any entity that conducts business in Texas, processes personal data, and is not a small business as defined by the SBA. This means mid-market and even smaller companies operating in Texas must comply. Texas requires recognition of universal opt-out mechanisms, mandates opt-in consent for sensitive data, and includes a 30-day cure period. The Texas Attorney General has been among the most aggressive in enforcement, issuing early actions even before the law's full effective date.

The Growing List: Other States to Know

Beyond the early movers, a wave of state privacy laws has taken or will take effect:

• Montana (effective October 2024): Applies to businesses processing data of 50,000 or more Montana consumers. Generally follows the Virginia model.
• Oregon (effective July 2024): Notably applies to nonprofit organizations, a departure from most state laws that exempt nonprofits. Broad definition of personal data.
• Iowa (effective January 2025): A more business-friendly law with a narrower set of consumer rights (no right to correct, no opt-out of profiling). Generous cure period.
• Indiana (effective January 2026): Follows the Virginia model closely. 100,000 consumer threshold.
• Tennessee (effective July 2025): Includes an affirmative defense for businesses that maintain a privacy program conforming to NIST frameworks.
• Delaware (effective January 2025): Lower threshold of 35,000 consumers; applies to health data more broadly.
• New Jersey (effective January 2025): Broad applicability with no revenue threshold. Includes protections for minors.
• New Hampshire (effective January 2025): Follows Virginia model. 35,000 consumer threshold.
• Nebraska (effective January 2025): Applies to all businesses without consumer count or revenue thresholds.
• Maryland (effective October 2025): One of the most restrictive laws enacted to date, with data minimization requirements that go beyond other states.
• Minnesota (effective July 2025): Includes a notably broad definition of profiling and enhanced requirements for algorithmic processing.

This list continues to grow. Multiple states introduce comprehensive privacy bills each legislative session. Organizations should track the regulatory radar to stay current on upcoming effective dates and new bills advancing through state legislatures.

Enforcement Trends

State privacy laws are not paper tigers. Enforcement is active and increasing.

California leads in enforcement volume and penalty amounts. The CPPA and the California Attorney General have pursued actions against companies of all sizes for violations including failure to honor opt-out requests, inadequate privacy notices, and mishandling of consumer data access requests. Notable early actions targeted major retailers, data brokers, and adtech companies.

Texas has emerged as the second most aggressive enforcer. The Texas Attorney General issued enforcement actions in the months following the TDPSA effective date, signaling zero tolerance for a wait-and-see approach. Actions have focused on sale of minors' data and failure to obtain consent for sensitive data processing.

Connecticut and Colorado have begun exercising enforcement authority now that cure periods have expired or become discretionary. Virginia's Attorney General has also signaled increased activity.

A pattern worth noting: enforcement actions frequently begin with consumer complaints. A single complaint can trigger an investigation that uncovers systemic non-compliance. Organizations that treat privacy rights requests as administrative nuisances rather than legal obligations are creating enforcement risk.

Penalties vary by state but generally range from $2,500 to $7,500 per violation (per consumer, per incident). When applied across thousands or millions of consumers, the financial exposure is substantial. Several states also allow injunctive relief, which can require costly operational changes on short timelines.

Practical Compliance Approach: Build to the Most Restrictive Standard

The only sustainable strategy for multi-state compliance is to build your program to the most restrictive standard and apply it uniformly. Attempting to maintain 19+ different compliance postures based on consumer residence is operationally impractical and legally fragile.

In practice, this means:

• Privacy notice: Draft a single comprehensive privacy notice that satisfies the most demanding disclosure requirements (currently California and Maryland). Include all consumer rights across all applicable states.
• Consent mechanisms: Implement opt-in consent for sensitive data processing everywhere, not just in states that require it. The trend is clearly toward opt-in; building it now avoids retrofitting later.
• Universal opt-out: Honor Global Privacy Control and similar universal opt-out signals for all consumers, regardless of state. California, Colorado, Connecticut, Texas, Montana, and others already require it. More will follow.
• Data subject request handling: Build a single intake process that accommodates the broadest set of rights (access, delete, correct, portability, opt-out of sale, opt-out of profiling). If you can fulfill all CCPA/CPRA rights, you can satisfy every other state law.
• Data protection assessments: Conduct assessments for all high-risk processing activities. Even states that do not require them today may require them tomorrow, and the assessments are valuable for demonstrating accountability.
• Data minimization: Collect only the personal data necessary for the stated purpose. Maryland's 2025 law makes data minimization legally enforceable, and other states are likely to follow.
• Vendor management: Ensure all service providers and contractors have data processing agreements that meet the most restrictive state requirements for flow-down obligations.

This approach costs marginally more upfront but dramatically reduces long-term compliance overhead, audit complexity, and enforcement risk.

Multi-State Compliance Strategy: A Practical Framework

Organizing a multi-state compliance program requires a structured approach. Here is a framework that scales.

1. Applicability assessment: For each state law, determine whether your organization meets the jurisdictional thresholds. Document which laws apply, which may apply as you grow, and your rationale for any determinations that a law does not apply.

2. Gap analysis: Compare your current privacy program against the most restrictive requirements. Identify gaps in consumer rights fulfillment, consent mechanisms, notice content, data protection assessments, and vendor agreements.

3. Unified privacy program: Build a single privacy program document that maps your controls to each applicable state law. This is the same cross-mapping approach used in security compliance (one control satisfies SOC 2, ISO 27001, and NIST simultaneously). One privacy program, mapped to 19 state laws.

4. Technology enablement: Implement a consent management platform (CMP) that supports universal opt-out signals. Deploy a data subject request (DSR) portal that can handle all rights across all states. Ensure your data inventory and processing records are current.

5. Training and awareness: Train customer-facing staff, product teams, and marketing teams on privacy obligations. The most common violations stem from front-line staff mishandling opt-out requests or marketing teams deploying tracking without proper consent.

6. Monitoring and maintenance: Subscribe to legislative tracking services. Review your applicability assessment quarterly. Update your privacy notice and consent mechanisms as new laws take effect.

For detailed guidance on the US privacy landscape, see our US privacy laws resource. To discuss a compliance strategy tailored to your organization, explore our CCPA compliance and global privacy services.

Looking Ahead

The trend line is unmistakable: more states will enact comprehensive privacy laws, and existing laws will be amended to become more restrictive. Several developments to watch:

• Federal preemption: The American Privacy Rights Act or a successor bill may eventually pass, but the timeline is uncertain. Even if a federal law is enacted, it may set a floor rather than a ceiling, allowing states to impose additional requirements.
• Children's privacy: State legislatures are aggressively targeting children's and teen privacy, with laws like California's Age-Appropriate Design Code Act and similar bills in multiple states. These often have stricter requirements than general privacy laws.
• AI and automated decision-making: Colorado, Connecticut, and California have introduced or enacted requirements related to profiling and automated decision-making. Expect more states to regulate algorithmic processing of personal data.
• Health data: Washington's My Health My Data Act and similar laws in Nevada and Connecticut create privacy protections for health data outside the HIPAA framework. This trend is expanding as consumer health technology (wearables, apps, telehealth) grows.
• Data broker registration: California, Vermont, and Texas require data brokers to register. More states are likely to follow, increasing transparency and enforcement leverage.

Organizations that build adaptable, principle-based privacy programs today will absorb these changes with incremental effort rather than reactive overhauls. The cost of building right once is always less than the cost of rebuilding repeatedly.

Stay current with our Regulatory Radar for the latest on privacy law developments, and contact our team through the CCPA or Global Privacy service pages to discuss your multi-state compliance strategy.

Related Reading

Explore related guides on privacy, compliance, and regulatory strategy:

• EU AI Act Guide for US Companies covers the extraterritorial reach of EU regulations and what US businesses need to prepare for.
• HIPAA Compliance Checklist for HealthTech addresses health data privacy requirements that intersect with state laws like Washington's My Health My Data Act.
• Virtual CISO Guide explains how fractional security leadership can help organizations navigate multi-state privacy compliance without building a full in-house team.

Need help building a multi-state privacy compliance program? Schedule an assessment with our privacy team to get started.