In the last few years, the landscape of U.S. consumer privacy laws has evolved significantly, with 19 states enacting consumer privacy regulations modeled after California’s landmark California Consumer Privacy Act (CCPA). As of 2024, three of these laws are already in effect, eight more will become active in 2025, and the remainder are slated for 2026 implementation. These laws are reshaping how businesses handle consumer data and impose strict new requirements on companies to safeguard personal information and uphold privacy rights.
However, while there are many similarities across these state laws, they diverge in key areas, creating compliance challenges for businesses operating in multiple jurisdictions. In addition to general consumer privacy laws, there are specific regulations concerning health data, children’s privacy, and data brokers that must also be navigated. With the introduction of AI-specific laws and data security provisions coming into effect, it is essential for enterprises to stay up to date on these complex and evolving regulations.
Overview of New State Consumer Privacy Laws
Nineteen states have followed California’s lead in passing comprehensive consumer privacy laws, with a variety of thresholds and applicability rules. Key states with laws already in place or becoming effective soon include:
California: The CCPA, amended by the California Privacy Rights Act (CPRA), remains the gold standard in the U.S. for privacy rights. As of January 1, 2023, the CPRA has expanded consumer rights and compliance requirements, including new provisions for data risk assessments and cybersecurity audits.
Colorado: The Colorado Privacy Act (CPA), effective July 1, 2023, introduces a variety of consumer rights, including the right to opt-out of targeted advertising and data sales, along with transparency and accountability provisions for data controllers.
Connecticut: The Connecticut Data Privacy and Online Monitoring Act, also effective July 1, 2023, closely mirrors other state laws but with unique provisions on opt-out rights and children’s data.
Key Provisions and Differences Across Laws
While there are many similarities across these new laws, differences in details and scope can create challenges for businesses. Below are some of the major areas of divergence:
Thresholds for Applicability: Different states have varying thresholds for which businesses must comply. For example, California and Colorado require businesses to meet specific revenue or consumer data processing thresholds (e.g., $25 million annual revenue or 100,000 consumers). Other states like Texas and Florida have different requirements, focusing on business size and consumer data processing volume.
Consumer Rights: Most states now include rights similar to those found in the General Data Protection Regulation (GDPR), such as the right to access, delete, and correct personal data. However, certain states, like Virginia and Utah, offer more limited rights to consumers in terms of data portability and correction.
Sensitive Personal Data: A critical area of divergence is how states define and handle sensitive data, such as health data and information on children. Some states, like Colorado and California, provide explicit rights related to sensitive data, requiring businesses to obtain opt-in consent for processing this information. Other states, such as Connecticut, have slightly different requirements for processing sensitive data.
Opt-out Provisions for Data Sales and Targeted Ads: All these laws include provisions to allow consumers to opt-out of the sale of their personal data and targeted advertising, but the methods and obligations differ. For instance, under California’s CCPA/CPRA, businesses must implement a clear opt-out mechanism, while Florida and Texas laws impose stricter compliance requirements on businesses exceeding a set threshold, such as revenue from online ads.
New Regulations to Look Out for in 2025 and Beyond
2025 will see significant updates to California’s data privacy landscape, as additional regulations related to AI, data brokers, and data risk assessments come into play. These new regulations will require businesses to conduct thorough data security audits and submit cybersecurity risk assessments to state authorities. Furthermore, businesses subject to California’s CCPA will need to comply with new ADM (Automated Decision-Making), AI, and profiling rules, which will likely require complex operational adjustments.
The upcoming Data Broker Regulations across several states will also have a significant impact on businesses. These regulations will require companies that sell or trade consumer data to comply with specific registration and disclosure obligations.
Action Steps for Businesses
As these new laws come into effect, businesses need to be proactive in ensuring compliance:
Review State Laws: Organizations should conduct a thorough review of the applicable state laws in the jurisdictions where they operate. This includes checking revenue thresholds, consumer data processing volumes, and specific rights provided to consumers in each state.
Update Privacy Notices: For many states, updating privacy notices is required, especially under California’s CPRA. These notices must detail consumer rights, opt-out mechanisms, and data processing practices.
Implement Opt-Out Mechanisms: Businesses must ensure they have easy-to-use opt-out mechanisms in place for consumers to control their data preferences, including the sale of personal data and targeted advertising.
Budget for Compliance Costs: With the introduction of new reporting and compliance requirements in 2025 (such as the cybersecurity audit and risk assessments in California), businesses should begin budgeting for these operational costs.
2025-2026 Timeline and Key Dates
The new state laws and their implementation schedules are spread out over several years, with key dates approaching in 2024, 2025, and 2026. As shown in Table 1, the following laws will become effective soon:
2024: Montana (October 1), Florida (July 1), Texas (July 1), Oregon (July 1)
2025: Delaware (January 1), Iowa (January 1), New Hampshire (January 1), New Jersey (January 15), Nebraska (January 1), Tennessee (July 1), Maryland (October 1)
2026: Indiana (January 1), Kentucky (January 1), Rhode Island (January 1)
Table Comparisons of State Privacy Laws (Tables 2 and 3)
The accompanying tables highlight key distinctions and similarities between these laws, providing a quick reference guide for businesses to assess their obligations. As businesses prepare for the upcoming regulations, they should focus on understanding which laws apply based on their size, data practices, and target market.
In summary, the growing number of state consumer privacy laws requires businesses to stay vigilant and well-prepared for compliance. As states implement these laws over the next few years, businesses must assess their data practices, update privacy policies, and ensure they are ready for more stringent reporting and operational requirements starting in 2025. With the right strategy in place, businesses can navigate this evolving landscape and stay ahead of regulatory changes. For more guidance, companies should consult privacy professionals to ensure they are ready for the upcoming legal obligations.
Related topics: