2025 Data law trends
6. US state consumer privacy laws are expanding
By Christine Chong, Christine Lyon
IN BRIEF
Consumer privacy legislation in the US has reached a critical turning point. With no comprehensive nationwide privacy law in place, individual states have begun enacting their own laws to safeguard consumer privacy. Currently, over 40 percent of US states have implemented consumer privacy laws, and momentum continues to grow as additional states propose and consider their own legislation.
While these new state laws share some commonalities, their unique obligations contribute to a complex compliance landscape. Furthermore, certain states are also introducing specialized privacy laws, such as those focused on consumer health data. In this chapter, we explore the current status of US state consumer privacy laws, highlight key areas of alignment and divergence, and offer predictions regarding upcoming enforcement priorities.
title
Current status of state consumer privacy laws
California was the first state to pass a comprehensive consumer privacy law, called the California Consumer Privacy Act (CCPA), in 2018. Since then, other states started to pass their own laws and the first half of 2024 saw a surge of states passing these laws; at one point, a new state law seemed to pass weekly. These state consumer privacy laws are either in effect or shortly coming into effect through 2026.
As of the end of August 2024, 20 states had passed consumer privacy laws, and two further states had passed consumer health data laws. Notably, these laws have gained support on both sides of the political aisle, from both Democrat and Republican legislators.
The chart below shows the degree of bipartisan support for these privacy laws, reflecting, in blue, the states with consumer privacy laws with Democratic-party affiliated governors, and red for states with Republican-party affiliated governors.
*Consumer health data specific laws
1. Nevada Act Relating to Data Privacy
2. Washington My Health My Data Act
Laws passed as of August 31, 2024
While there initially appeared to be momentum in Congress toward a federal privacy bill, including for the American Privacy Rights Act of 2024 (APRA) being deliberated in this 118th Congress, support for the APRA has appeared to cool and commentators now think it’s unlikely that the APRA will pass in its current form in this legislative session.
We have reached a turning point in US privacy regulation, and there is no going back: the future involves greater regulation and protection for consumers.
Christine Lyon, Partner
This means that, for the foreseeable future, the state-level privacy laws are here to stay. Notoriously, the US has 50 different state data breach laws, and in principle, we could potentially end up with 50 different state consumer privacy laws as well.
Where do the laws align or differ?
The state consumer privacy laws share many core elements, including requirements related to:
- notice (eg additional detailed notices required in certain states);
- consumer rights (eg access, correction and deletion rights, as well as rights to limit processing of sensitive personal information and to opt out of certain activities, such as sale or sharing/use of personal information for targeted advertising);
- oversight of service providers/processors; and
- governance and accountability (eg data protection assessments, training and record-keeping).
While the state consumer privacy laws have started aligning in certain areas, none of these laws are exact duplicates, and the detailed requirements vary from state to state. Below, we highlight a few of the key areas where the laws differ more fundamentally in approach.
Applicability Thresholds
The laws generally apply to companies that conduct business in that state or produce goods or services that are targeted to residents of that state and meet certain thresholds, such as the number of consumers whose personal information they process each year and the level of revenue (if any) they derive from sale of personal information.
For example, the Virginia Consumer Data Protection Act (the Virginia law) applies to businesses that produce products or services that are targeted to Virginia residents and (i) during a calendar year, control or process personal information of at least 100,000 consumers, or (ii) control or process personal information of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal information.
In contrast, other laws apply only to companies that reach an annual revenue threshold (such as the CCPA) or exclude small businesses as defined by the US Small Business Administration. These laws also may apply to varying degrees to non-profit organizations.
Scope of Covered Individuals
Most of the laws apply only to consumers acting in an individual or household context and exclude individuals acting in an employment or professional/B2B context. However, the CCPA applies to all California residents, including those acting in an employment or professional/B2B context.
Sensitive Data Opt-in versus Opt-out; Health Data
The laws provide heightened protections for a wide range of data defined as ‘sensitive’ under these laws, such as:
- government issued identification numbers (eg Social Security Number);
- precise geolocation;
- data revealing racial or ethnic origin;
- genetic or biometric information; and
- personal information concerning a known child.
Certain laws include additional types of data as sensitive, for example, under the CCPA, sensitive personal information includes union membership, as well as the contents of a consumer’s mail, email and text messages (unless the business is the intended recipient of the communication).
The Oregon Consumer Privacy Act includes a consumer’s status as transgender or nonbinary, or status as a victim of crime, as ‘sensitive’ data.
While some may assume that California’s CCPA has the highest requirements among the state privacy laws, the CCPA takes a less restrictive approach to sensitive data than many of the later state consumer privacy laws: the CCPA requires businesses to allow California residents to limit the processing of their sensitive personal information (similar to an opt-out approach), while many of the other state consumer privacy laws require businesses to obtain opt-in consent to process a consumer’s sensitive personal information.
New health data laws, have novel requirements for consumer health data, with distinct notice and consent requirements. For example, the Washington My Health My Data Act requires that businesses provide a separate and distinct link to a Consumer Health Privacy Policy that may not contain additional information not required under the law.
Sale of Personal Information; Use for Targeted Advertising
The laws give consumers varying rights to opt out of the ‘sale’ of their personal information, and to opt out of the use of their personal information for targeted advertising.
California’s CCPA obligations are particularly broad-reaching and administratively burdensome, given the CCPA’s expansive definition of ‘sale’ and requirement to include a specific ‘do not sell or share my personal information’ link if a company engages in covered ‘sales’ or ‘sharing.’ Differing definitions of ‘sale’ among these laws also can complicate attempts to take a cohesive approach across states.
Governance
The laws generally require that businesses conduct a data protection assessment for processing activities that present a heightened risk of harm to a consumer. The Minnesota Consumer Data Privacy Act goes further and requires that companies maintain an ‘inventory’ of personal information, and separately document and maintain a description of policies and procedures to comply with the law, including where applicable, the name and contact information for the chief privacy officer or other individual with primary responsibility.
California’s CCPA also includes training requirements for personnel handling privacy-related inquiries or requests.
Predictions on enforcement priorities
State attorneys general and regulatory agencies can initiate investigations and enforcement actions against both controllers and processors. For example, the CCPA regulations provide that the California Privacy Protection Agency (CPPA) may audit a ‘business, service provider, contractor or person,’ and that the audit may be announced or unannounced as determined by the CPPA. The Virginia Law also explicitly states that the Attorney General has authority to enforce the provisions of the law on controllers and processors.
Regulators, including attorneys general and privacy enforcement agencies, have newfound powers under these state consumer privacy laws — and they are prepared to exercise those powers.
Christine Chong, Associate
As the state privacy laws are relatively new, we focus on predictions, including based on past actions from enforcement activities and guidance on the oldest of the state privacy laws.
- 2025 will come with more enforcement actions and continued ‘sweeps.’ State attorneys general and regulators have initiated investigative ‘sweeps’ of certain industries under these laws, in which the regulator sends information requests to companies and may initiate further investigations based on their responses. Examples include California’s CPPA launching investigative sweeps with letters to businesses with popular streaming apps and devices, as well as on topics such as employers and HR-related data, mobile applications and loyalty programs. In July 2023, the CPPA initiated an inquiry into privacy practices of connected vehicles and related technologies, which is understood to be understood to be ongoing.
- 2025 enforcement actions will focus on processing of sensitive data. Colorado has announced an investigative sweep focused on collection and use of sensitive data, including on the requirements to obtain consent prior to collecting sensitive data, and allow consumers to opt out of targeted advertising and profiling. Additionally, the Texas Attorney General launched a major data privacy and security initiative earlier this summer to establish a team that is focused on ‘aggressive enforcement’ of Texas’ privacy laws. The statement noted that the data privacy enforcement team will focus on several privacy laws to protect Texans’ sensitive data.
- 2025 enforcement actions will be responsive to consumer complaints. State attorneys general and regulators have emphasized that they are listening to consumer complaints and taking action informed by these complaints. For example, the CPPA has detailed its process to review and evaluate every complaint that it receives, and over 2,000 consumer complaints were received from July 6, 2023 to June 30, 2024. The California Attorney General also noted that one of its major recent CCPA actions arose in part from a consumer’s complaint on social media about the company’s processing of their personal information. The volume of complaints will likely increase over time, as a number of the state consumer privacy laws now require a business to provide the consumer with a mechanism or information through which the consumer may contact the Attorney General to submit a complaint if the business has denied the consumer’s request even in part.
Looking Ahead
As the number of US state consumer privacy laws continues to grow, it’s crucial for companies to take proactive steps to navigate this evolving landscape.
Here are three key actions to consider:
1. Develop a Compliance Strategy: Collaborate with your business teams to create a comprehensive approach for complying with state privacy laws. With new legislation emerging regularly, having a robust privacy compliance strategy will help you establish sustainable policies and procedures.
2. Review Consumer Rights Mechanisms: Take a close look at the rights mechanisms available to consumers. This includes evaluating the methods you have in place and ensuring you’re ready to respond effectively.
Keep in mind:
- This area is under high scrutiny, with significant volumes of complaints reported by the CPPA.
- Consumer rights mechanisms are highly visible to regulators, making it easy for them to spot potential deficiencies (for example, companies receiving CCPA notices of violation for failing to include a ‘Do Not Sell or Share My Personal Information’ link on their sites).
- Prioritizing these mechanisms is essential, as they are a focal point of US state privacy laws and play a crucial role in building customer trust.
3. Educate and Engage Your Team: Share updates on new privacy laws and provide training for employees on how to handle data subject requests and the importance of compliance. Keeping your team informed and engaged is vital for fostering a culture of privacy within your organization.
2025 Data law trends
- 01. AI governance takes center stage
- 02. International data transfers are under the spotlight
- 03. A new wave of cyber threats is here
- 04. New global regulations are changing our digital operations
- 05. Tougher enforcement is reshaping data and privacy compliance
- 06. US State consumer privacy laws are expanding
- 07. Asia’s privacy laws are maturing
- 08. New EU data access regulations are shaping the future