U.S. State Privacy Laws: Making Sense of the Mess

Posted on by Dissent

Privacy law scholar Dan Solove writes:

The year kicked off with several privacy laws coming into effect, and there are several more scheduled to become active this year. Here’s a current list:

  • Iowa (January 1, 2025)
  • Delaware (January 1, 2025)
  • Nebraska (January 1, 2025)
  • New Hampshire (January 1, 2025)
  • New Jersey (January 15, 2025)
  • Tennessee (July 1, 2025)
  • Minnesota (July 31, 2025)
  • Maryland (October 1, 2025)

With about 20 states with a consumer privacy law (plus a growing number of subject-specific state privacy laws), the landscape is becoming unwieldy. But the laws share a lot of similarities, so it’s far from total madness.

Key Similarities and Differences

Here’s some help in cutting through the madness.

  • All state consumer privacy laws are extraterritorial
  • Unlike the GDPR, which applies to all types of entities, most state laws apply only to for-profit companies (exceptions: MN, DE, NJ, CO, OR, MD).
  • Unlike the GDPR, nearly all state privacy laws don’t apply to the government (because in the U.S., governments hate to follow rules like everyone else) .
  • Most define personal data similarly to the GDPR.
  • Unlike the GDPR, most have thresholds to exclude small business (but thresholds vary).
  • Most exclude data regulated by federal privacy laws such as HIPAA, GLBA, FCRA, and FERPA
  • Most have similar categories of sensitive data, though there are some variations. Most recognized categories include racial or ethnic origin, sexual orientation (several also include sex life), genetic or biometric data, religious beliefs, mental and physical health diagnosis (considerable variation on how this is worded), citizenship or immigration status, data collected from a child, and precise geolocation.
  • Most provide for individual rights to access, deletion, correction, data portability.
  • Most provide opt out rights for sale of data, targeted ads, profiling.
  • Most require opt in (and a PIA) for processing sensitive data (exceptions: UT, CA).
  • Most require data processing agreements.
  • Most require PIAs for targeted ads, profiling, sensitive data, sale of data, and risk of harm.
  • Most are enforced by state AGs and have fines (exception: CA is enforced by a special privacy agency).
  • Most lack a private right of action (exception: CA has a private right of action for data breaches).

Read more at LinkedIn.

For more background and opinion from Dan, read an earlier piece by him: U.S. State Privacy Laws – A Lack of Imagination

Related: REPORT: The State of Privacy: How State “Privacy” Laws Fail to Protect Privacy and What They Can Do Better (EPIC and U.S. PIRG)

Category: Featured NewsLawsU.S.