State Privacy Laws: What US Businesses Need to Know Beyond California

The United States does not have a federal comprehensive privacy law, but it increasingly has a patchwork of state laws that, taken together, impose meaningful privacy obligations on businesses operating nationally. California was the first to enact a comprehensive consumer privacy statute with the California Consumer Privacy Act in 2018, and the state has since strengthened it substantially with the California Privacy Rights Act. In the years since, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Delaware, Iowa, Indiana, Tennessee, Florida, and others have enacted their own comprehensive privacy statutes. For any business that collects personal information from residents of multiple states, understanding this patchwork is an operational necessity.

The California Framework: CCPA and CPRA

California’s privacy law is the most comprehensive and the most actively enforced. The CCPA, as amended by the CPRA, applies to for-profit businesses that do business in California and meet any one of three thresholds: annual gross revenues exceeding $25 million; annual purchase, sale, receipt, or disclosure of personal information of 100,000 or more consumers or households; or deriving 50% or more of annual revenues from selling or sharing consumers’ personal information. The CPRA created a dedicated enforcement agency, the California Privacy Protection Agency, which has rulemaking and enforcement authority.

California law gives consumers the right to know what personal information is collected and how it is used, the right to delete personal information, the right to opt out of the sale or sharing of personal information (including sharing for cross-context behavioral advertising), the right to correct inaccurate information, the right to limit use of sensitive personal information, and the right to non-discrimination for exercising privacy rights. Covered businesses must provide a privacy notice at collection, maintain a comprehensive privacy policy, honor consumer rights requests within 45 days, and implement reasonable security measures.

Virginia (VCDPA), Colorado (CPA), and Connecticut (CTDPA)

Virginia’s Consumer Data Protection Act, Colorado’s Privacy Act, and Connecticut’s Data Privacy Act follow a similar structure often called the ‘Virginia model.’ All three apply to businesses that process the personal data of a threshold number of state residents (typically 100,000 per year, or 25,000 if selling personal data) and all three recognize a similar set of consumer rights: access, deletion, correction, portability, and the right to opt out of targeted advertising, sale of personal data, and profiling that produces legal or similarly significant effects.

A distinguishing feature of the Virginia model is the consent requirement for sensitive personal data, which in these states includes data revealing racial or ethnic origin, mental or physical health conditions, biometric data, precise geolocation, and children’s data. Processing sensitive data requires opt-in consent from consumers under all three statutes. Colorado and Connecticut require data protection assessments for high-risk processing activities, creating a formal internal documentation obligation.

Texas (TDPSA) and Florida (FDBR)

Texas enacted the Texas Data Privacy and Security Act in 2023, with a scope and structure similar to the Virginia model but with several notable differences. Texas has no revenue threshold — businesses that meet the consumer threshold but fall below California’s $25 million revenue threshold still face Texas obligations. Texas does not have a private right of action; enforcement is by the Texas Attorney General. Florida’s Digital Bill of Rights, effective in 2024, takes a narrower approach, applying primarily to large technology companies with annual global revenues above $1 billion and at least one of several additional criteria. Most small and medium-sized businesses are not covered by Florida’s law.

Common Requirements Across State Laws

Despite their differences, the state comprehensive privacy laws share a common core that businesses can address with a unified compliance program. All of them require a privacy notice that describes the categories of personal data collected, the purposes for which it is used, and how consumers can exercise their rights. All require businesses to honor consumer requests to access, delete, and correct their data within specified timeframes (typically 45 to 60 days). All require data minimization — limiting collection to what is needed for the stated purpose. All require reasonable security safeguards. All require contracts with service providers that process personal data on the business’s behalf. And all prohibit discriminating against consumers who exercise their privacy rights.

Building a Multi-State Privacy Compliance Program

The most efficient approach for businesses subject to multiple state privacy laws is to build a compliance program around the most comprehensive applicable requirements and apply them uniformly. In practice, this means designing the program around California’s CCPA/CPRA (the most demanding) where California thresholds are met, and around the Virginia model for other states. Key elements of a multi-state program include a comprehensive privacy notice, a data map documenting what personal information is collected, where it comes from, how it is used, and with whom it is shared, a consumer rights request process with appropriate verification procedures, data processing agreements with all service providers, a sensitive data consent mechanism, and documented data protection assessments for high-risk processing.

The Bottom Line

The US state privacy law landscape is no longer a California-only concern. Any business with a national customer base or that collects personal information from consumers in multiple states needs to assess its obligations under each applicable state law and build a compliance program that addresses the common requirements efficiently. With more states likely to enact privacy laws in the coming years, investing in a scalable privacy compliance infrastructure now will reduce the cost of adapting to new requirements as they take effect.



Leave a Reply