Key Highlights
- The US lacks a comprehensive federal data privacy framework.
- 19 states have enacted comprehensive data privacy laws with varying obligations.
- State attorneys general enforce these laws, leading to significant compliance challenges for businesses.
- New amendments and enforcement actions underscore the evolving landscape of state privacy laws.
The Fragmented US Data Privacy Landscape
In the absence of a cohesive federal data privacy law, 19 states have stepped into the regulatory void with their own comprehensive data privacy statutes. These laws impose similar but nuanced obligations on businesses handling consumer personal data, creating a complex patchwork that companies must navigate.
California’s Pioneer Role
As early as 2018, California pioneered with the California Consumer Privacy Act (CCPA), which established broad privacy rights for consumers. Following suit, 18 other states have implemented their own versions of data privacy laws, each with unique provisions and enforcement mechanisms.
Federal Preemption and State Laws
The American Data Privacy and Protection Act advanced through Congress but never made it to a floor vote amid concerns over pre-empting California’s robust regime. The American Privacy Rights Act faltered in 2024, leaving the current landscape largely unchanged.
State AGs as Key Regulators
State attorneys general play a pivotal role in enforcing these laws, with notable examples such as California AG Rob Bonta’s $1.55m settlement against Healthline Media for CCPA violations. Texas AG Ken Paxton secured historic settlements totaling over $1bn through high-profile data privacy lawsuits.
A Complex Compliance Environment
Businesses operating in multiple states face significant challenges due to the variability of state laws. For instance, an entity may be fully exempt from one law but subject to a data-level exemption under another. This complexity necessitates strategic compliance programmes that can adapt to diverse legal requirements.
Strategic Compliance Approaches
To manage this complexity, companies must build flexible compliance frameworks that account for the variations across state laws. Understanding when and how these laws apply is crucial, as non-compliance can result in substantial financial penalties and reputational damage.
Evolving State Privacy Laws
New amendments to existing privacy laws continue to shape the landscape, with a focus on stronger protections for minors’ data and broader coverage of entities. For example, five states now have age-appropriate design codes that shift responsibility onto platforms to protect minors through safer default settings.
Health Data Protections
Three states, including Washington, have established explicit state privacy protections for health data outside HIPAA’s scope. These laws often include private right of action provisions, adding another layer of complexity for businesses handling sensitive personal information.
Conclusion
Navigating the Regulatory Maze
The US data privacy landscape is a tangled web that businesses must navigate carefully. As federal efforts continue to stall, state laws will remain the primary framework for privacy compliance. Staying informed and adaptable is essential for companies looking to maintain consumer trust in this rapidly evolving environment.
© Financier Worldwide BY Arianna Evers and Amy Olivero WilmerHale Data privacy & cyber security Q&A: Data centre cyber resilience How AI powers cyber crime – and protects against it Evolving ransomware tactics with AI-enhanced attacks and ransomware as a service Breaking down NIS2: the five main requirements of the updated NIS Directive Regulating AI and enforcing privacy laws through landmark cases and regulatory practice
