State Privacy Laws

State Privacy Laws in the United States represent a critical layer of privacy regulation that operates alongside federal laws to protect individuals' personal information. Unlike many countries that have a single comprehensive national privacy law, the U.S. employs a sectoral approach, and states have increasingly stepped in to fill gaps left by federal legislation. California has been a pioneer with the California Consumer Privacy Act (CCPA) enacted in 2018, later amended by the California Privacy Rights Act (CPRA) in 2020. The CCPA/CPRA grants consumers rights including the right to know what personal information is collected, the right to delete personal information, the right to opt out of the sale or sharing of personal data, and the right to non-discrimination for exercising privacy rights. It applies to businesses meeting specific revenue or data processing thresholds. Following California's lead, numerous states have enacted comprehensive privacy laws, including Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and many others. While these laws share common elements—such as consumer rights to access, correct, and delete data, and requirements for data protection assessments—they vary in scope, enforcement mechanisms, and specific obligations. Many states also maintain sector-specific privacy laws addressing data breach notification, student privacy, employee monitoring, biometric data (notably Illinois' BIPA), and health information. All 50 states have enacted data breach notification laws requiring organizations to notify individuals when their personal information is compromised. For privacy professionals, navigating state privacy laws requires understanding the varying definitions of personal information, differing applicability thresholds, unique consumer rights provisions, opt-in versus opt-out consent models, and distinct enforcement frameworks. Some states rely solely on attorney general enforcement, while others may include private rights of action. The evolving state privacy landscape creates compliance challenges for organizations operating across multiple jurisdictions, making it essential for CIPP/US professionals to stay current with legislative developments and understand how overlapping requirements interact. State Privacy Laws in the United States represent a critical layer of privacy regulation that operates alongside federal laws to protect individuals' personal information. Unlike many countries that have a single comprehensive national privacy law, the U.S. employs a sectoral approach, and states h…