U.S. State Privacy Laws: Making Sense of the Mess

The year kicked off with several privacy laws coming into effect, and there are several more scheduled to become active this year. Here’s a current list:

• Iowa (January 1, 2025)
• Delaware (January 1, 2025)
• Nebraska (January 1, 2025)
• New Hampshire (January 1, 2025)
• New Jersey (January 15, 2025)
• Tennessee (July 1, 2025)
• Minnesota (July 31, 2025)
• Maryland (October 1, 2025)

With about 20 states with a consumer privacy law (plus a growing number of subject-specific state privacy laws), the landscape is becoming unwieldy. But the laws share a lot of similarities, so it's far from total madness.

Key Similarities and Differences

Here’s some help in cutting through the madness.?

• All state consumer privacy laws are extraterritorial
• Unlike the GDPR, which applies to all types of entities, most state laws apply only to for-profit companies (exceptions: MN, DE, NJ, CO, OR, MD).
• Unlike the GDPR, nearly all state privacy laws don’t apply to the government (because in the U.S., governments hate to follow rules like everyone else) .
• Most define personal data similarly to the GDPR.
• Unlike the GDPR, most have thresholds to exclude small business (but thresholds vary).
• Most exclude data regulated by federal privacy laws such as HIPAA, GLBA, FCRA, and FERPA
• Most have similar categories of sensitive data, though there are some variations. Most recognized categories include racial or ethnic origin, sexual orientation (several also include sex life), genetic or biometric data, religious beliefs, mental and physical health diagnosis (considerable variation on how this is worded), citizenship or immigration status, data collected from a child, and precise geolocation.? ?
• Most provide for individual rights to access, deletion, correction, data portability.
• Most provide opt out rights for sale of data, targeted ads, profiling.
• Most require opt in (and a PIA) for processing sensitive data (exceptions: UT, CA).
• Most require data processing agreements.
• Most require PIAs for targeted ads, profiling, sensitive data, sale of data, and risk of harm.
• Most are enforced by state AGs and have fines (exception: CA is enforced by a special privacy agency).
• Most lack a private right of action (exception: CA has a private right of action for data breaches).

Data Minimization: Maryland’s Privacy Law

The biggest outlier is Maryland, which takes a data minimization approach. The law states that collection or processing of personal data must be “reasonably necessary” to provide the product or service requested by the consumer, unless the consumer opts in to broader data use. Sensitive data requires opt in plus no data collection nor processing unless “strictly necessary” to provide the product/service. And processing beyond what is strictly necessary is prohibited – even with consent!? ??

Subject-Specific Privacy Laws

States are also passing subject-specific privacy laws. Hot areas include:

• Biometric data
• Health data
• Children’s data
• Online content moderation
• Education privacy

Privacy Training Circa 2025: What to Do?

You can’t train the entire workforce on all these privacy laws, so what should you do?? My recommendations:

1. Train on key privacy principles and concepts that underpin most laws
2. Train employees in specific roles with training relevant to them – marketing folks should get trained about marketing laws (TCPA, CAN-SPAM, CASL); engineers should be trained in privacy data data protection by designed; HR folks who handle PHI should be given HIPAA training, and so on.
3. Train the privacy and legal teams (and others in relevant roles) with the basics of various laws. These people should learn at least the basics of how various laws work. They don’t need to become experts in each law, but should have a rough sense of the landscape.

If you want help with privacy training, I have courses and resources for all of the above – courses that synthesize privacy laws, courses on specific privacy laws, and courses on various privacy concepts (data minimization, PIAs, DSRs, data mapping, secondary use, data retention, and more).? I have whiteboards for 100+ laws that summarize each law in 1 page. Reach out if you’re interested.?

US State Consumer Privacy Laws Training Course

Professor Solove’s Newsletter (free)

Sign up for Professor Solove’s Newsletter about his writings, whiteboards, cartoons, trainings, events, and more.

Pre-Order Prof. Solove’s forthcoming book, ON PRIVACY AND TECHNOLOGY

Click here to pre-order the book

Click here to pre-order the book

U.S. State Consumer Privacy Law Whiteboards