top of page

State US laws in data privacy

In the absence of a comprehensive federal data privacy law, state legislatures across the U.S. have taken the lead in regulating how businesses handle consumer personal information. This has resulted in a patchwork of state data privacy statutes that companies must grapple with from a compliance perspective. As of today, 15 states have enacted omnibus data privacy acts - California, Virginia, Connecticut, Colorado, Utah, Iowa, Indiana, Tennessee, Oregon, Montana, Texas, Delaware, Florida, New Jersey, and New Hampshire.

While the state data privacy laws share some core policy aims, there are also key nuances and differences across the regulatory regimes

1) Empowering consumer rights

A primary driver is granting consumers greater rights over the collection, use, sharing and retention of their personal data by businesses. This includes rights to access, delete, correct and opt-out of data sales/sharing.

2) Increasing business obligations

The laws impose heightened data protection obligations on companies, such as data mapping, security safeguards, breach notification, and consent requirements for processing sensitive information.

3) Regulatory clarity

Many states cite the need to provide a standardized set of data practices and rules to allow businesses to systematically build compliance programs.

Despite the shared high-level goals, there is considerable divergence in the specific requirements and nuances across state data privacy laws:

- Scope & thresholds

Laws vary in criteria for determining which companies must comply based on factors like revenue, data volume processed, or whether data sales occur.

- Definitions of key terms

There is a lack of uniformity in how "personal data", "sensitive data", and other key terms are legally defined across states.  

- Consent for sensitive data

Some states require opt-in consent before processing sensitive data like biometrics, while others have opt-out regimes.  

- Penalties & cure periods

Enforcement provisions like civil penalties, statutory damages and "cure periods" to remedy violations differ across jurisdictions.

- Sector-specific carve-outs

Laws contain varying exceptions or enhanced protections for sectors like healthcare, financial services, educational data, and biometrics.

- Rulemaking powers

States take different approaches in providing rulemaking powers to regulatory agencies for issuing compliance guidance.

Meeting compliance obligations  

To meet their legal data privacy and security obligations under this fragmented legislative field, businesses should consider:

  • Conducting data mapping of all collection points, usages, sharees and vendors to identify jurisdictional applicability

  • Reviewing and updating data protection policies, practices and third-party contracts in line with statutory requirements

  • Implementing security controls, access limitations and protocols around sensitive data aligned with regulatory guidance

  • Establishing robust mechanisms to verify and facilitate consumer rights requests related to access, deletion, opt-outs and data portability mandates

  • Ensuring proper representative consent is obtained where required for processing personal data, biometrics or data of minors

  • Reviewing insurance coverage and updating external privacy notices, internal training and breach response plans

As state data privacy laws rapidly develop and more legislatures join the fray, businesses can anticipate an increasingly dynamic and complex regulatory compliance environment in this space. Investing in flexible data governance and cybersecurity capabilities mapped to legislation will be crucial from risk mitigation and consumer trust standpoints.


bottom of page