State Privacy Laws: A National Comparison

The United States operates without a single comprehensive federal privacy statute, leaving individual states to construct their own frameworks governing how businesses collect, use, and share personal data. This page maps the structure of state-level privacy law across the US, comparing scope, rights, enforcement mechanisms, and key definitional differences. It serves as a reference for privacy professionals, legal operations teams, researchers, and compliance practitioners navigating an increasingly fragmented regulatory landscape.

Definition and Scope

State privacy laws are statutory frameworks enacted by individual US state legislatures to regulate the collection, processing, sale, and disclosure of personal information about residents of that state. Unlike sector-specific federal statutes — such as HIPAA, COPPA, or the GLBA — comprehensive state privacy laws apply horizontally across industries and data types, subject to specific exemptions.

As of 2024, 19 states have enacted comprehensive consumer privacy legislation, according to the International Association of Privacy Professionals (IAPP) State Privacy Legislation Tracker. Each statute defines its own threshold for applicability, typically based on the volume of residents' data processed or annual revenue derived from data sales. The result is a patchwork of overlapping but non-identical obligations that businesses operating across state lines must reconcile simultaneously.

The scope of any given state law is bounded by three primary variables: (1) who qualifies as a covered entity, (2) which categories of data fall within scope, and (3) which individuals possess enforceable rights. Most enacted statutes exempt small businesses and nonprofit organizations, though the precise thresholds vary. The California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA) applies to businesses that process the personal information of 100,000 or more California consumers or households annually, or that derive 25% or more of annual revenue from selling personal information (Cal. Civ. Code § 1798.140).

Core Mechanics or Structure

All enacted comprehensive state privacy statutes share a recognizable structural skeleton, though the details diverge significantly. The shared framework consists of four functional layers:

1. Consumer Rights. Every enacted statute grants residents rights over their personal data. Standard rights include access, correction, deletion, and portability. Opt-out rights — specifically the right to opt out of the sale of personal data, targeted advertising, and profiling — appear across all enacted statutes. Virginia's Consumer Data Protection Act (CDPA, Va. Code § 59.1-571 et seq.) and Colorado's Privacy Act (CPA, C.R.S. § 6-1-1301 et seq.) also include opt-in consent requirements for sensitive data processing.

2. Controller Obligations. Entities that determine the purpose and means of processing are classified as "controllers" (analogous to the GDPR's "data controller"). Controllers must publish privacy notices, respond to consumer requests within defined timeframes (typically 45 days, with a 45-day extension), and conduct data protection assessments for high-risk processing activities.

3. Processor Obligations. Entities processing data on behalf of controllers must operate under written data processing agreements specifying the scope and nature of processing. This two-tier controller/processor distinction mirrors the EU General Data Protection Regulation (GDPR) architecture.

4. Enforcement. Most state statutes vest exclusive enforcement authority in the state attorney general. California's CPRA created a dedicated agency — the California Privacy Protection Agency (CPPA) — with independent rulemaking and enforcement authority, a model unique among US states as of 2024.

Data subject access requests and right-to-deletion requirements are operationalized differently across states, creating compliance complexity for organizations serving residents in multiple jurisdictions.

Causal Relationships or Drivers

State-level privacy legislation accelerated after the European Union's GDPR took effect in May 2018, demonstrating that comprehensive horizontal privacy regulation was operationally achievable. California's CCPA, enacted in 2018 and effective January 1, 2020, served as the catalyst for subsequent state activity, establishing a template that other legislatures modified rather than originated from scratch.

The absence of federal preemptive legislation is the primary structural driver of state proliferation. Congress has debated comprehensive federal privacy bills — including the American Data Privacy and Protection Act (ADPPA), which passed the House Energy and Commerce Committee in 2022 but did not advance to a floor vote — without enacting binding law. This legislative gap created space and political incentive for states to act unilaterally.

A second driver is documented harm from large-scale data breaches and the commercial surveillance economy. The Federal Trade Commission (FTC) has pursued enforcement under Section 5 of the FTC Act against deceptive data practices, but its authority does not extend to affirmative data rights or comprehensive processing restrictions, leaving states as the primary legislative actors.

Consumer data rights expansion has also been driven by advocacy organizations documenting practices such as the sale of location data, cross-context behavioral advertising, and the aggregation of sensitive data categories.

Classification Boundaries

State privacy statutes establish explicit classification distinctions that determine the stringency of applicable obligations:

Sensitive vs. Non-Sensitive Data. Sensitive data categories — which typically trigger opt-in consent requirements rather than opt-out mechanisms — include: racial or ethnic origin, religious beliefs, mental or physical health diagnoses, sexual orientation or gender identity, immigration status, financial account data, precise geolocation, biometric identifiers, and children's data. Biometric data privacy laws in Illinois (BIPA, 740 ILCS 14/) impose requirements separate from and stricter than general state privacy statutes.

B2B vs. B2C Contexts. Several statutes initially exempted employee data and business-to-business contact information. California's CPRA eliminated these exemptions as of January 1, 2023, bringing employee privacy rights fully within the CCPA framework. Virginia's CDPA retains an exemption for personal data processed in a commercial or employment context.

Controller vs. Processor. This boundary determines which obligations apply. A single entity may function as a controller with respect to its own customers and as a processor with respect to data it handles for another business, requiring dual compliance frameworks.

Covered Entities vs. Exempt Entities. Nonprofit organizations, government agencies, financial institutions subject to the GLBA, covered entities and business associates under HIPAA, and institutions of higher education subject to FERPA are commonly exempted from state statutes, though exemption scope varies by law.

Tradeoffs and Tensions

The state-by-state approach generates three primary structural tensions:

Compliance Cost vs. Regulatory Access. Organizations operating nationally face compliance programs calibrated to the strictest applicable state standard, effectively raising the floor for all operations. Small and mid-size businesses disproportionately bear these costs relative to revenue.

Uniformity vs. Innovation. States contend that differentiated approaches allow experimentation and tailoring to local norms. Critics argue that 19 inconsistent frameworks impose deadweight compliance cost without proportionate privacy benefit, and that preemptive federal legislation would better serve both consumers and industry.

Private Right of Action vs. Centralized Enforcement. California's CCPA grants consumers a private right of action for data breaches involving specific categories of unencrypted personal data. Most other state statutes do not include a private right of action, concentrating enforcement in the attorney general's office and reducing litigation risk but also limiting remedial reach. This tension shapes the practical deterrent effect of each statute.

Privacy program governance frameworks must account for these tensions when allocating compliance resources across jurisdictions.

Common Misconceptions

Misconception: CCPA/CPRA compliance covers all state obligations.
Correction: California's statute applies only to California residents. Organizations with customers in Virginia, Colorado, Connecticut, Texas, Florida, and other states with enacted statutes face distinct and non-identical obligations. A CCPA-compliant program does not automatically satisfy Virginia's CDPA or Colorado's CPA.

Misconception: Only large enterprises are subject to state privacy laws.
Correction: Virginia's CDPA applies to entities processing the personal data of 100,000 or more Virginia residents annually, or 25,000 residents if the entity derives over 50% of gross revenue from data sales. Businesses significantly smaller than Fortune 500 companies meet these thresholds.

Misconception: Consent is required for all data processing under state laws.
Correction: Most enacted US state statutes use an opt-out model for general personal data processing — not an opt-in model. Opt-in consent is required only for sensitive data categories. This contrasts with the GDPR's broader consent and legitimate interest framework.

Misconception: Privacy policies alone satisfy notice obligations.
Correction: State statutes impose specific disclosure requirements — including the categories of data collected, the purposes of processing, third-party recipients, and instructions for exercising consumer rights — that generic privacy policies often fail to address. Consent management frameworks must be architecturally integrated with data operations, not appended as static documents.

Misconception: State privacy laws cover all data about state residents.
Correction: Data exempt from federal sector statutes (HIPAA-covered data, GLBA-covered data, FERPA-covered data) is typically also exempt from state comprehensive statutes when held by regulated entities.

Checklist or Steps

The following sequence represents the standard operational phases for assessing multi-state privacy compliance obligations. This is a reference structure, not legal advice.

  1. Identify Applicable Statutes. Map the states in which the organization has customers, users, or resident data subjects. Cross-reference against enacted statutes and effective dates using the IAPP State Privacy Legislation Tracker.
  2. Apply Threshold Tests. For each applicable statute, determine whether the organization meets the data volume, revenue, or data-sale thresholds that trigger coverage. Document the analysis.
  3. Classify Data Categories. Inventory personal data collected and identify which fields qualify as sensitive under each applicable statute. Sensitive classifications differ across laws.
  4. Map Data Flows. Document the flow of personal data from collection through processing, storage, and third-party sharing. Third-party data sharing rules and vendor privacy management obligations attach at this stage.
  5. Assess Controller/Processor Relationships. Determine whether the organization functions as controller, processor, or both for each data stream, and establish appropriate contractual instruments.
  6. Conduct Data Protection Assessments. For high-risk processing activities (targeted advertising, profiling, sale of personal data, processing sensitive data), conduct and document privacy impact assessments as required by Virginia CDPA § 59.1-578, Colorado CPA, and analogous provisions.
  7. Implement Consumer Rights Workflows. Build operationalized processes for receiving, authenticating, and responding to access, deletion, correction, and opt-out requests within statutory timeframes (typically 45 days).
  8. Update Contractual Frameworks. Execute data processing agreements with all processors. Review contracts with data brokers and advertising technology vendors for compliance with opt-out-of-sale obligations.
  9. Establish Governance and Training. Assign accountability for multi-state privacy compliance. Coordinate with the chief privacy officer role or equivalent function. Implement privacy training and awareness programs calibrated to state-specific obligations.
  10. Schedule Compliance Reviews. Establish periodic privacy audit and compliance reviews aligned with statutory amendment cycles and attorney general guidance publications.

Reference Table or Matrix

State Comprehensive Privacy Law Comparison (Enacted Statutes, Selected States)

State Statute Effective Date Threshold (Residents) Sensitive Data Opt-In Private Right of Action Enforcing Body
California CCPA/CPRA (Cal. Civ. Code § 1798.100) Jan 1, 2020 / Jan 1, 2023 100,000 consumers or 25% revenue from data sales Yes Limited (data breach only) CA Privacy Protection Agency
Virginia CDPA (Va. Code § 59.1-571) Jan 1, 2023 100,000 residents or 25,000 + >50% revenue Yes No Attorney General
Colorado CPA (C.R.S. § 6-1-1301) Jul 1, 2023 100,000 consumers or 25,000 + >50% revenue Yes No Attorney General
Connecticut CTDPA (Pub. Act 22-15) Jul 1, 2023 100,000 consumers or 25,000 + >25% revenue Yes No Attorney General
Texas TDPSA (SB 2 H.B. 4) Jul 1, 2024 All controllers (no minimum threshold) Yes No Attorney General
Florida FDBR (SB 262) Jul 1, 2024 $1B+ revenue controllers only Yes No Attorney General
Montana MCDPA (SB 384) Oct 1, 2024 50,000 consumers or 25,000 + >25% revenue Yes No Attorney General
Oregon OCPA (SB 619) Jul 1, 2024 100,000 consumers or 25,000 + >25% revenue Yes No Attorney General

Threshold and effective date figures drawn from IAPP State Privacy Legislation Tracker and individual enrolled bill texts. Consult official state legislative databases for current text.

The us-privacy-laws-and-regulations reference provides broader context for how state statutes interact with the federal landscape, including sector-specific exemptions and the federal privacy framework discussion.

References

📜 9 regulatory citations referenced  ·  🔍 Monitored by ANA Regulatory Watch  ·  View update log

Explore This Site

Regulations & Safety Regulatory References Tools & Calculators Password Strength Calculator