US State Data Privacy Laws: What Businesses Need to Know

In recent years, data privacy has emerged as a critical concern for businesses and individuals alike. Consumers expect companies to safeguard their personal and sensitive data, and businesses are learning to operate within the guidelines of new state-level consumer data privacy laws.

Given the rapid evolution of technology and increasing awareness of privacy issues, US data privacy laws have become a patchwork of state-specific regulations, with a federal comprehensive consumer privacy policy yet to be enacted. The data privacy landscape in the US is set to become even more complex in the years ahead, with new laws poised to take effect and other privacy legislation expected to be introduced. At Concord, we understand the challenges of this evolving regulatory environment and are here to help you navigate it.

The Growing Complexity of US Data Privacy Laws

Unlike the European Union's General Data Protection Regulation (GDPR), which provides a unified framework for data protection, the US has opted for a state-by-state approach. After California passed its data privacy law - the California Consumer Privacy Act/ California Privacy Rights Act - many states began to follow. As of February 2025, 20 states have enacted comprehensive data privacy laws, with 14 in effect today, three signed into law and taking effect later this year, and three signed into law and taking effect in 2026. This patchwork of rules creates a challenging environment for businesses that operate across multiple states. You can check out Concord's new data privacy state law fact sheets on our website and read on to learn what you need to know about the latest developments and key considerations for your organization.

Do you know who needs to comply with consumer data privacy laws?

The reach of consumer privacy laws extends beyond traditional brick-and-mortar businesses. Most of these laws apply to businesses that meet specific annual thresholds relating to the processing of state residents' data and the revenue derived as a result. Companies that conduct business in or target services to particular states must carefully evaluate their handling of personal information. Pay special attention if your business:

• Collects and processes the personal data of state residents, including through websites
• Derives revenue from selling personal data (note: "selling" often includes standard practices like interest-based advertising)
• Handles sensitive information like biometric data

Note that each state privacy law has unique parameters. For instance:

• Tennessee requires an annual revenue of at least $25 million
• Nebraska takes a broad approach, applying to companies not classified as "small businesses"
• Thresholds range from 10,000 to 175,000 consumer records, depending on the state

Comprehensive Privacy Bills: Key Exemptions

Not all organizations face the exact requirements. Notable exemptions include:

• Employee Data: Every state except California excludes employee data from privacy requirements
• Healthcare Organizations: Most states offer HIPAA-related exemptions, though the specifics vary
• Financial Services: Companies subject to the Gramm-Leach-Bliley Act (GLBA) may have different obligations state by state
• Nonprofits: Only a handful of states (including Colorado, Delaware, New Jersey, and Oregon) generally apply their privacy laws to nonprofits, although the application of these laws varies by state

Data Privacy Legislation: Consumer Privacy Rights and Business Obligations

Modern state privacy laws mirror many GDPR principles, introducing or reinforcing critical consumer protections, such as:

• The right to access personal data
• The right to correct inaccurate information
• The right to delete stored data
• The right to opt out of certain data processing activities
• The right to data portability

On the business side, these laws require companies to:

• Obtain explicit consent for handling sensitive data
• Honor consumer rights to access, delete, and correct their data
• Respond to opt-out requests, including through universal opt-out mechanisms like the Global Privacy Control (GPC) browser setting
• Meet varying state-specific deadlines for responding to consumer requests

Special Focus: Data Protection Impact Assessments

A Data Protection Impact Assessment is a risk analysis tool that helps organizations evaluate and address potential privacy risks before they start processing sensitive personal data in new ways. Many states now require DPIAs for high-risk data processing activities, including:

• Targeted advertising
• Personal data sales
• Profiling that could cause financial harm or discrimination
• Processing of sensitive personal data
• Biometric data processing (per FTC expectations)

Looking Ahead: Managing to Consumer Privacy Bills

As the state data privacy regulatory environment evolves, businesses must remain vigilant and proactive in their data privacy practices. With increased data privacy legislation and state-level regulations, enforcement mechanisms are also becoming more robust. Companies must not only understand the specific requirements of each jurisdiction but also be prepared for audits and enforcement actions. Non-compliance can result in significant fines and damage to a company's reputation. Given the dynamic landscape of data privacy in the US, here are a few action items for organizations to consider:

1. Evaluate your data collection practices and revenue sources.
2. Document your compliance with state-specific requirements.
3. Establish clear processes for handling consumer rights requests.
4. Implement systems to recognize and respond to universal opt-out mechanisms.
5. Develop a framework for conducting DPIAs when necessary.

Conclusion

While the US data privacy landscape may be complex, it's not insurmountable. You can confidently navigate this complexity by leveraging Concord's data privacy and compliance solutions. Our tools and expertise will help you stay ahead of regulatory changes, minimize risks, and help you build trust with your users. For more information on how Concord can help, visit our website.

State Privacy Laws

• California Consumer Privacy Act (Effective January 1, 2020)
• ‍Virginia Consumer Data Protection Act (Effective January 1, 2023)
• ‍Colorado Privacy Act (Effective July 1, 2023)
• ‍Connecticut Data Privacy Act (Effective July 1, 2023)
• ‍Utah Consumer Privacy Act (Effective December 31, 2023)
• ‍Florida Digital Bill of Rights (Effective July 1, 2024)
• ‍Oregon Consumer Privacy Act (Effective July 1, 2024)
• ‍Texas Data Privacy and Security Act (Effective July 1, 2024)
• ‍Montana Consumer Data Privacy Act (Effective October 1, 2024)
• ‍Delaware Personal Data Privacy Act (Effective January 1, 2025)
• ‍Iowa Consumer Data Protection Act (Effective January 1, 2025)
• ‍Nebraska Data Privacy Act (Effective January 1, 2025)
• ‍New Hampshire Consumer Data Privacy Act (Effective January 1, 2025)
• ‍New Jersey Data Privacy Act (Effective January 15, 2025)
• ‍Tennessee Information Protection Act (Effective July 1, 2025)
• Minnesota Consumer Data Privacy Act (Effective July 31, 2025)
• ‍Maryland Online Data Privacy Act (Effective October 1, 2025)
• ‍Indiana Consumer Data Protection Act (Effective January 1, 2026)
• ‍Kentucky Consumer Data Protection Act (Effective January 1, 2026)
• ‍Rhode Island Data Transparency and Privacy Protection Act (Effective January 1, 2026)