US State Privacy and Data Protection Laws
Navigating the patchwork of state-level privacy requirements across America
// What is State Privacy Laws?
Since California enacted CCPA in 2018, a growing number of US states have passed comprehensive privacy laws creating a complex compliance landscape. Organizations operating nationally must navigate varying requirements across California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Texas, Montana, Oregon, Delaware, New Jersey, New Hampshire, Kentucky, Maryland, Minnesota, Nebraska, Rhode Island and more.
While these laws share common elements—consumer rights, business obligations, enforcement mechanisms—they differ significantly in scope, definitions, opt-out requirements, and enforcement approaches. Some follow the CCPA model (opt-out of sales), while others follow the Virginia model (opt-out of targeted advertising and sales).
No federal comprehensive privacy law exists, leaving businesses to comply with this state patchwork. Many organizations implement the most stringent requirements nationally to simplify compliance, effectively making California and other strict state laws de facto national standards.
// Inside the Regulation
State privacy laws generally include consumer rights, business obligations, and enforcement mechanisms, but vary significantly in thresholds, definitions, and specific requirements. Understanding the major models helps organizations develop compliant programs.
Common Consumer Rights
Most comprehensive state privacy laws grant consumers similar core rights, though specific mechanics vary.
Right to Know/Access
Consumers can request disclosure of personal information collected, categories, sources, purposes, and third parties.
Right to Delete
Consumers can request deletion of their personal information, subject to specified exceptions.
Right to Opt-Out
Most laws include opt-out rights for sale of data, targeted advertising, and/or profiling. Specific triggers vary by state.
Right to Correct
Growing number of states include rights to correct inaccurate personal information.
Right to Data Portability
Many states require providing personal information in portable, usable formats upon request.
Non-Discrimination
Businesses cannot discriminate against consumers exercising privacy rights.
Key Differences by State
Significant variations exist that affect compliance strategies and operational requirements.
Applicability Thresholds
California: $25M revenue OR 100K consumers. Virginia/Colorado: 100K consumers OR 25K consumers + 50% revenue from data sales. Other states vary.
Private Right of Action
California allows consumer lawsuits for data breaches. Most other states limit enforcement to state AG only.
Opt-Out Mechanisms
California requires 'Do Not Sell' links. Colorado/other states require honoring universal opt-out signals. Requirements vary.
Sensitive Data
Definition of sensitive personal information varies. Some states require opt-in consent, others allow opt-out.
Cure Periods
Some states allow businesses to cure violations before penalties. Others (like California) have eliminated cure periods.
State Breach Notification Laws
All 50 states have data breach notification laws predating comprehensive privacy legislation, with varying requirements.
Notification Triggers
Definition of 'personal information' and 'breach' varies by state. Some require risk of harm analysis, others do not.
Notification Timing
Ranges from 'most expedient time possible' to specific deadlines (30, 45, 60, 72 hours, etc.).
Content Requirements
Required notification content varies—some prescriptive, others general. Many require AG notification.
Safe Harbors
Many states provide safe harbors for encrypted data, though definitions of adequate encryption vary.
Major State Laws
Key comprehensive privacy laws organizations should understand.
California (CCPA/CPRA)
Most comprehensive US privacy law with dedicated enforcement agency. Includes private right of action for breaches.
Virginia (VCDPA)
Model for many subsequent laws. AG enforcement only, no private right of action. 30-day cure period.
Colorado (CPA)
Universal opt-out mechanism recognition. Strong AG enforcement. Data protection assessments required.
Texas (TDPSA)
Applies to businesses 'doing business in Texas' with broad jurisdictional reach. No revenue threshold.
Others
Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Oregon, Delaware, and others with varying requirements.
Note: Organizations should develop a unified privacy program addressing the most stringent requirements across applicable states. Attempting state-by-state compliance creates operational complexity and increases compliance risk. Many organizations treat California requirements as the baseline for national operations.
// Who Must Comply
- 1 Businesses meeting state-specific thresholds for revenue or data processing
- 2 Organizations collecting personal information from residents of states with privacy laws
- 3 Companies operating websites or services accessible in regulated states
- 4 Businesses 'doing business in' states with broad jurisdictional definitions
- 5 Controllers and processors handling personal data subject to state laws
// Key Requirements
Privacy Notices
Provide comprehensive privacy notices meeting requirements of all applicable state laws
Opt-Out Mechanisms
Implement opt-out mechanisms for sales, sharing, and targeted advertising as required by applicable states
Request Response
Respond to consumer requests within state-mandated timeframes (typically 45 days)
Breach Notification
Notify affected individuals and state authorities of breaches per state-specific requirements
Reasonable Security
Implement and maintain reasonable security measures appropriate to the data processed
Vendor Contracts
Execute data processing agreements with service providers meeting state requirements
// Enforcement & Penalties
Enforcement varies by state, with penalties typically assessed per violation. California's private right of action for breaches and dedicated enforcement agency make it the most active enforcement environment. Other states rely on AG enforcement with varying penalty structures.
Varies: California $7,500/violation; Virginia $7,500; Colorado $20,000; Texas $7,500-$25,000
Examples:
- California settlements with Sephora ($1.2M), DoorDash (ongoing) for sale violations
- State AG multistate settlements for data breaches (Equifax, T-Mobile)
- California private lawsuits: $100-$750 per consumer per breach incident
- Increasing AG enforcement as state privacy laws mature
// Cyber Insurance Impact
Cyber insurers evaluate state privacy law exposure based on business operations and data processing activities. Multi-state compliance increases complexity. California's private right of action creates significant breach exposure. Policies should cover regulatory defense across all applicable jurisdictions and consumer claims where applicable.
// How Breach Craft Helps
We help organizations achieve State Privacy Laws compliance through genuine security improvements—not checkbox exercises. Our services address the specific requirements and challenges of State Privacy Laws.
Ready to Strengthen Your Defenses?
Schedule a free consultation with our security experts to discuss your organization's needs.
Or call us directly at (445) 273-2873