Emerging State Privacy Legislation

Reviewed by Danielle Vargas, CIPP/US, CIPM

At least twelve US states have enacted comprehensive privacy laws, and that number will reach twenty within two to three years. The laws share a common pattern — consumer rights to access, delete, correct, and opt out — but vary in scope, definitions, timelines, and enforcement. Build compliance infrastructure around CPRA as your strictest baseline, then layer in state-specific modifications as new laws take effect.

Three years ago, privacy compliance meant understanding California's CCPA. That's no longer true. A dozen states have enacted comprehensive privacy laws. More are in various stages of legislative progress. If you thought GDPR and CCPA were the privacy frameworks you needed to worry about, your understanding is outdated. The landscape has shifted from a single-state problem to a multi-state reality that creates operational complexity for any organization processing personal information.

Understanding this emerging privacy landscape is essential because your compliance obligations change every time a new state law takes effect. You cannot wait until a law is active to begin preparing — by then you're scrambling to implement changes on short timelines. Understanding the patterns, knowing which states have laws coming, and building compliance infrastructure that adapts to new requirements is the difference between managing a compliance program and fighting fires constantly.

At least twelve states have active privacy laws — and the pace is accelerating

California led with the CCPA and CPRA. Colorado passed the Colorado Privacy Act. Connecticut enacted the Connecticut Data Privacy Act. Delaware passed the Delaware Personal Data Privacy Act. Indiana, Iowa, Montana, New Hampshire, Oregon, Tennessee, Utah, and Virginia all have comprehensive privacy laws in effect.

These laws vary in scope, requirements, and enforcement mechanisms. Colorado's law covers a different scope than Virginia's. Utah's law includes different definitions of personal information than California's. Montana's law had its effective date delayed due to litigation. Tennessee's law has different opt-out requirements than Oregon's.

What they share is a common pattern: they all grant consumers rights similar to those under GDPR and CCPA — access, deletion, correction, opt-out of sales or sharing. They all impose requirements on how organizations collect and handle personal information. They all have enforcement mechanisms, whether through the state attorney general, a dedicated privacy agency, or both. The pace of enactment is accelerating. When CCPA was passed, it seemed California-specific. Now that multiple states have demonstrated that comprehensive privacy laws are legislatively and politically feasible, more states are following. The practical reality is that the list of states with comprehensive privacy laws will be closer to twenty than twelve within the next two to three years.

The common pattern enables standardization — but the variations create real compliance gaps

The good news is that most state privacy laws follow a pattern that allows some degree of standardization. Most include similar consumer rights: access, deletion, correction, opt-out. Most require transparency about data collection and use. Most impose security safeguard requirements, though the specificity varies. This pattern means an organization that builds compliance infrastructure around CCPA/CPRA can extend it to meet other state requirements without starting from scratch. A system for handling consumer access requests under California law can be adapted for Colorado, Connecticut, or Virginia.

But the variations matter. Some state laws have different definitions of personal information. Some include B2B data while others explicitly exclude it. Some require different timelines for responding to consumer requests. Some allow different exceptions to the right to delete. Some require a data protection officer; others don't. Colorado's law defines personal information differently than California's, meaning some data covered under CCPA may not be covered under Colorado's law, and vice versa. Virginia's law allows broader exceptions to the deletion right for business records. Utah's law includes exemptions for certain data types.

Enforcement varies significantly. Some states have a dedicated privacy agency like California's Privacy Protection Agency. Others rely on the state attorney general. Some allow private rights of action; others don't. According to the Ponemon Institute's 2023 research, the average cost of a data breach reached $4.45 million — and organizations operating across multiple regulatory jurisdictions faced higher costs due to the complexity of multi-state compliance obligations. The practical implication is that an organization can adopt CCPA/CPRA compliance as a baseline and layer in state-specific modifications, rather than building completely independent compliance programs for each state.

Staggered effective dates create a rolling compliance obligation you must plan for

One of the most challenging aspects of multi-state privacy law compliance is that the laws don't all take effect simultaneously. States typically stagger the effective date from the enactment date by 12 to 18 months. This means while you're still implementing compliance for one state's law, another state's law is approaching its effective date.

California's CCPA took effect January 2020. CPRA modifications began taking effect in January 2023. Colorado's law took effect July 2023. Virginia's law took effect January 2024. Connecticut's law takes effect July 2024. Delaware's takes effect January 2025. Others are coming.

What this staggered timeline creates is a rolling compliance obligation. You're never done with state privacy law compliance because there's always a new law approaching its effective date. By the time you've fully implemented compliance for one state's law, another state's law is months away and requires preparation. This is fundamentally different from federal regulation, where a single law takes effect and you're in compliance across the entire country.

The advantage of understanding this timeline is that you can plan accordingly. If you know Virginia's law is active, Connecticut's is imminent, Montana's is uncertain due to litigation, and Delaware's is approaching, you can prioritize your implementation schedule and phase compliance rather than treating every state law as equally urgent.

Scope, definitions, and enforcement mechanisms differ in ways that affect your operations

Not all state privacy laws have identical scope. Some apply only to for-profit organizations; others include nonprofits. Some have revenue thresholds or employee count thresholds. Colorado's law has a revenue threshold of four million dollars, calculated differently than California's threshold. Virginia's law applies to organizations collecting personal information of 100,000 or more consumers or households, a different applicability test than many other states use.

The definition of personal information also varies. Some states include IP addresses; others don't. Some include biometric information; others handle it separately. Some include pseudonymized data; others don't. Consumer rights vary in specifics — what counts as "sales" and "sharing" differs across states. Some define sales very broadly (like California); others are narrower. Some require opt-in consent for certain processing; others allow opt-out.

Enforcement varies in ways that directly affect your risk exposure. Some states allow private rights of action, meaning consumers can sue you directly. Others limit enforcement to the attorney general, which typically means fewer but larger enforcement actions. The 2024 Verizon Data Breach Investigations Report found that 32% of all breaches involved phishing — and privacy laws increasingly treat inadequate security controls as a separate violation from the breach itself, compounding exposure for organizations without strong technical safeguards.

Build on CPRA as your baseline — it's the strictest and covers the most ground

Many organizations are adopting the practical approach of building compliance infrastructure to meet California's CCPA/CPRA requirements, which are among the strictest, and then layering in state-specific modifications as needed. This works because if you're complying with California's broad definition of personal information, you're covering most other states' definitions. If you're honoring California's broad opt-out rights, you're covering most other states' requirements.

The modifications aren't trivial. You may need to adjust your applicability analysis for states with different thresholds. You may need to modify your opt-out mechanisms for states with different requirements. You may need to update your privacy policy to address state-specific language requirements. But these are modifications to an existing foundation, not building from scratch for each state.

Some organizations build compliance matrices that map each state law to their compliance systems — which systems handle access requests, which track opt-outs, which monitor data retention. Once you've built this mapping, adding a new state's law becomes a question of whether it requires new systems or modifications to existing ones.

Federal privacy law is unlikely to preempt state laws — prepare for state-level compliance

A legitimate question is whether to prepare for state laws or wait for federal privacy law that might preempt them all. There's Congressional discussion about comprehensive federal privacy legislation. Some experts predict federal privacy law within five years. Others are skeptical given political disagreements.

The historical pattern is clear: Congress moves slowly on privacy legislation. The last comprehensive federal privacy law was GLBA in 1999 for financial services. HIPAA in 1996 for health information. Against this backdrop, waiting for federal law while state laws are already taking effect is a losing strategy.

Additionally, even if federal privacy law is enacted, it's likely to set a floor, not a ceiling — establishing baseline requirements nationally while allowing states to impose stricter requirements on top. This is the pattern under GLBA and HIPAA: federal law sets minimum standards, but states can and do impose additional requirements. A future federal privacy law would not necessarily preempt state laws; it may exist alongside them. Preparing for state privacy laws now is the safer strategy. If federal law eventually passes and preempts state laws, your compliance infrastructure isn't wasted — it positions you to meet the federal baseline more easily.

Build adaptable infrastructure — static compliance programs will fail as new laws arrive

Organizations managing the emerging privacy landscape effectively are building compliance infrastructure that's adaptable to new requirements rather than static. This means building systems configurable for different state requirements, rather than hardcoding California's requirements into every system. A consent management system built for CCPA should be configurable to handle other states' consent requirements. An access request system should handle different state timelines and scope requirements. A data retention system should accommodate policies that vary by state.

It also means building a data governance foundation. Understanding what personal information your organization collects, where it comes from, how it's used, who it's shared with, and how long you retain it is foundational to compliance with any state's privacy law. Once you've built this foundation, adapting to new state requirements becomes easier because you already know what data you're managing.

Privacy law compliance at scale is expensive. Building systems to handle access requests, honor deletion requests, manage opt-outs, and respond to regulator inquiries costs money. Extending that to multiple state requirements costs more. But the cost of reactive compliance — scrambling when a new law takes effect — is higher. Organizations that build proactively can handle new state laws with modifications to existing systems at a fraction of the cost of building new systems reactively. The organizations that manage this effectively treat multi-state compliance as inevitable and plan accordingly, rather than treating each state law as a surprise.

Frequently Asked Questions

How many states currently have comprehensive privacy laws?
At least twelve states have enacted comprehensive consumer privacy laws that are active or taking effect, including California, Colorado, Connecticut, Delaware, Indiana, Iowa, Montana, New Hampshire, Oregon, Tennessee, Utah, and Virginia. That number is expected to reach twenty within two to three years as more states advance privacy legislation.

Can I build one compliance program that covers all states?
Not perfectly, but close. Build your compliance infrastructure to meet CPRA standards — the strictest current baseline — and then layer in state-specific modifications for definitions, timelines, and enforcement mechanisms. This is far more efficient than building independent compliance programs for each state.

Will a federal privacy law make state compliance unnecessary?
Unlikely. Historical precedent (GLBA, HIPAA) shows that federal privacy laws typically set a floor, not a ceiling — states can and do impose stricter requirements. Even if federal legislation passes, state laws will likely remain relevant, making your existing state compliance infrastructure valuable.

What's the biggest operational challenge of multi-state privacy compliance?
The staggered effective dates. New state laws take effect on a rolling basis, meaning you're never done implementing. By the time you've fully implemented one state's requirements, another state's law is approaching its effective date. Building adaptable systems that can be reconfigured for new requirements is the only sustainable approach.

Do small businesses need to worry about multi-state privacy laws?
It depends on the thresholds, which vary by state. California exempts businesses under $25 million in revenue that meet additional criteria. Other states have different thresholds. If you collect personal information from residents across multiple states, review each state's applicability criteria — you may be in scope for some states but not others.

Fully Compliance provides educational content about IT compliance and privacy regulations. This article reflects general information about state privacy laws as of its publication date. Regulations, penalties, and requirements evolve — consult a qualified compliance professional for guidance specific to your organization.