In 2025, the number of individual US states with local data privacy laws on their statute books has rapidly increased, with nine more state laws going into effect this year and three more states—Indiana, Kentucky, and Rhode Island—set to begin enforcing their own rules on January 1, 2026. according to a report compiled by the International Association of Privacy Professionals (IAPP).
Since introduction Landmark California Consumer Privacy Law of 2020Politicians in US state capitals have happily picked up the data protection baton: Colorado, Connecticut, Utah and Virginia passed comprehensive privacy laws in 2023; Montana, Oregon and Texas in 2024; and Delaware, Iowa, Maryland, Minnesota, Nebraska, New Hampshire, New Jersey and Tennessee this year.
Another 16 states are currently debating comprehensive privacy bills, including economic powerhouse states like Massachusetts and New York.
The final report provides a detailed picture of each state's privacy laws, but the overall goal is to outline the contours of each state to offer more meaningful guidance to organizations. IAPP is actively tracking changes to state privacy laws, with Connecticut, Montana and Oregon enacting changes this year to expand coverage, expand consumer rights and impose more business obligations regarding the control and processing of personal data.
Where to start?
Müge Fazlıoğlu, IAPP's chief researcher for privacy law and policy, has been keeping an eye on these developments. She described the increasingly complex compliance work for organizations operating in the United States.
“The applicability of each US state's privacy law can be assessed through a multi-step process, as each state's law has a unique scope of application based on multiple thresholds,” she told Computer Weekly. “These thresholds are related to the organization's jurisdiction, revenue, volume of processing of personal data, and revenue generated from the sale of personal data.”
To further understand how laws vary, there are currently five different thresholds for processing residents' personal data in the United States. These include no threshold in Nebraska and Texas; 25,000 or more unique consumers in Montana; 35,000 in Connecticut, Delaware, Maryland, New Hampshire and Rhode Island; 100,000 in California, Colorado, Indiana, Iowa, Kentucky, Minnesota, New Jersey, Oregano, Utah and Virginia; and 175,000 in Tennessee. Thus, any organization holding data on Texas residents becomes subject to applicability, but they must hold data on 0.6% of the population of Maryland or 3.3% of the population of tiny Delaware.
Then there are thresholds for the sale of personal data. Here again, Nebraska and Texas are the most restrictive, stipulating that the control, processing or sale of any personal data is subject to state privacy laws, although with exceptions for small businesses. However, in California, organizations are covered if they control or process any personal data and derive 50% or more of their revenue from the sale of data. Colorado and New Jersey again include population thresholds of 25,000 unique consumers or more, and the organizations included in the study receive any revenue or discount on the price of any goods or services from the sale of personal data.
When it comes to exceptions, each of the 19 state laws excludes different organizations and the types of data they hold—most commonly government agencies, nonprofits, and institutions of higher education; and organizations that are already subject to national, sectoral legislation, such as the Health Insurance Portability and Accountability Act (HIPAA).
Again, there are plenty of differences. For example, laws in Colorado, Delaware, Minnesota, Montana, New Jersey, and Oregon do not exempt nonprofit organizations from liability. California and Maryland exempt non-profit organizations, but do not exempt higher education institutions and so on. There are nuances even here: Delaware, for example, exempts only some nonprofits, and its laws do not apply to those that process data held by nonprofits working with victims of child abuse, domestic violence, human trafficking or sexual assault. Neighboring Maryland exempts those who process or share personal information to assist emergency first responders or law enforcement investigating insurance fraud or crimes.
When it comes to business obligations under state privacy laws, all states require regulated entities to provide notices to consumers about disclosure of privacy practices—California requires it at the point of collection, and all but Rhode Island and Utah impose minimization and targeted restrictions on data collection or processing. This generally limits the collection, use, storage and sharing of consumer data to what is adequate, relevant and reasonably necessary. Most states except Iowa and Utah require Data protection impact assessment (DPIA), but in Delaware, Indiana, and Virginia, DPIAs are especially required for targeted advertising, selling personal information, or individual profiling.
Naturally, all states require consent to process sensitive data, but again they define different categories of data as sensitive. Most state laws cover a standard set of data that most are familiar with, classifying children's data, ethnicity, religion and sexual orientation as sensitive. However, some states go further: Maryland and Oregon also recognize national origin information as confidential, and five states—Connecticut, Delaware, Maryland, New Jersey, and Oregon—include data that could reveal a person's status as nonbinary or transgender.
Meanwhile, Maryland has the only state-level law that does not classify mental or physical health data as confidential, while California plows a unique furrow and classifies philosophical beliefs as a protected category, protecting existentialists, logical positivists, nihilists and stoics alike.
Finally, when we look at consumers' rights to access, correct and delete data stored on them, things are a little simpler, but there are still differences that need to be taken into account. In all states, consumers can access, correct, and delete data—except in Iowa, where they cannot correct it; and Indiana, where they can only fix it if they provided it in the first place.
Similarities with GDPR
Organizations operating outside the UK or European Union (EU) may be tempted to refer to practices and principles already established under General data protection provisions (GDPR) as a helpful guide to the growing maze of rules, clauses, and exceptions in the United States.
However, Fazlioglu said that while the requirements of various US regimes regarding consumer rights, data minimization, targeted limitation of data collection and processing, etc. may at first glance seem familiar to organizations that are already GDPR compliant, data privacy professionals should be wary of drawing too many conclusions from it, and it would be a serious mistake to rely too heavily on them.
“As we know, in the world of privacy and digital governance, compliance work requires constantly mapping the current situation, monitoring changes, and making necessary updates and adjustments,” she said. “When it comes to the overlap between GDPR and US state privacy laws, there is a lot to identify, evaluate, translate and consider. There is no simple checklist or formula for proving compliance…Organizations need to examine the extent of each state's privacy law and evaluate whether existing practices are sufficient.”
Fazlioglu said understanding the scope and specifics of each law, including the categories of sensitive data or the definition of various terms such as “sale,” is critical.
She said that while it may seem complex and daunting, the interplay between different laws and areas of practice and the GDPR could ultimately benefit consumers. “This encourages greater attention to the relationship between consumer protection and new technologies,” she said.
Federal laws are subject to debate
In parallel with the passage of legislation at the state level in the United States, calls continue for Washington, D.C., to pass a federal privacy law. While British and European observers unfamiliar with US political traditions may naturally feel inclined to favor a national data protection standard, this is not such a simple ask of the US federal system.
“For some it is preferable, but for others it is not,” Fazlioglu said. “For example, during discussions of the US Privacy Rights Act of 2024 and the US Privacy and Data Protection Act of 2023, we saw varying reactions from different groups – some supported these bills to simplify the situation, while others highlighted the risk of weakening the protections currently offered by state legislatures.”
IAPP has been tracking developments in this regard, examining controversial issues such as bipartisanship, private right of action, and the right of first refusal. Fazlioglu said it is difficult to predict whether a federal law will be able to pass through the U.S. Congress, but by looking at previous attempts, laws that include private right of action and preemption provisions could impact the bill's ability to attract support from both Democrats and Republicans.
Fazlioglu added: “The question is not only whether federal privacy legislation is preferable, but also whether such law should function as a cap or a floor. Proponents of preemption argue that federal law should serve as a ceiling, establishing a single standard that takes precedence over state laws. In contrast, proponents of preserving state privacy laws believe that federal law should act as a floor—a minimum standard upon which states can rely.”
That's why Fazlioglu says it's important to consider changes in privacy laws at both the state and federal levels to see the full picture. “I believe state-federal dynamics influence each other. So while it is unclear whether we will see federal privacy legislation enacted, I expect continued discussions both domestically and between state and federal entities. Together, these conversations will continue to shape the U.S. approach to privacy law and policy in the coming years,” she said.
