In 2018, there were two comprehensive state data privacy bills introduced across the United States and a whopping zero were in effect. Fast forward six years and there have been 41 new data privacy bills considered this year alone and a total of 19 laws enacted to date.[1] And 2025 promises a flurry of state, federal, and international data privacy regulation. But does this mean that you have to comply with all of them? Maybe. Even if you only operate in one state? Again, maybe. The key is to understand the thresholds of the potentially applicable laws and then find the commonalities.
For the most part, comprehensive state data privacy laws have some fundamental similarities when it comes to compliance, which allows for more uniformity in your approach to compliance. The place to start, however, is whether you even need to comply. For that, while a close and thorough review of the law is best, there are a few things to look for:
- Do you engage in business activities with vendors, customers, or consumers in another state? Engaging in business activities should be considered broadly when determining if you have interactions with another state that may warrant your compliance with its data privacy laws. Do not automatically rule out your company’s potential need for compliance until you consult with a data privacy professional, as the nuances of what constitutes a “business activity” and “collection of data” vary from state to state.
- Even if you do not engage in business practices in another state, do you have a gross revenue of $25 million or more? Some states have a general revenue threshold that may require your compliance, even if you do not engage in business practices in another state.
- Do you have a website that is accessible in other states? Does your website include contact forums, ordering capabilities or tracking cookies? Collecting website visitors' IP addresses could subject your organization to compliance with data privacy laws in other states. Website analytics tools often capture more data than anticipated, including IP addresses, keystrokes, and mouse movements. Depending on the scope and nature of the data being collected, you may be required to comply with state-specific data privacy regulations that govern such activities.
- Are you working with another company that requires your compliance with data privacy regulations through a contractual obligation, whether as a processor or controller? As a corporate attorney, I’ve observed a growing trend in service agreements and contracts that include data processing addendums (DPAs) and specific provisions mandating compliance with data privacy laws. These requirements are increasingly common as organizations aim to align with frameworks like the GDPR, CCPA, or other state and international regulations. It's essential to thoroughly review your client and vendor agreements to understand your obligations and ensure compliance with applicable data privacy practices.
- Do you process personal information? Processing personal information encompasses any action your company performs involving such data, including collection, use, sale, storage, disclosure, or analysis. Personal information nearly always refers to any data that can be used to identify an individual, such as their name, email address, physical address, IP address, phone number, or other identifiers. Understanding the breadth of "processing" and "personal information" is crucial for compliance with data privacy laws, as these definitions often determine your obligations under various regulatory frameworks.
With nearly two-dozen comprehensive state data privacy laws in effect or soon to be in effect, now is the time to revisit your data collection practices and ensure that your internal and external privacy policies are compliant.
States with active data privacy laws include: California, Colorado, Connecticut, Montana, Oregon, Texas, Utah, Virginia
States will laws coming into effect in 2025: Delaware, Iowa, Maryland, Minnesota, Nebraska, New Hampshire, New Jersey, Tennessee
States with laws coming into effect in 2026: Indiana, Kentucky, Rhode Island,
And don’t forget, if you have a globally accessible website that targets or could potentially target European customers there are international data privacy laws to be mindful of! The average fine for violations of the EU’s General Data Protection Regulation (GDPR) was €4.4 million in 2023.[2]
Don’t let these fines gobble you up! And have a happy holiday!
[1] https://iapp.org/resources/article/us-state-privacy-laws-overview/
[2] https://www.statista.com/chart/amp/30053/gdpr-data-protection-fines-timeline/
[View source.]
