As of the date of this post, there are at least nineteen comprehensive state privacy laws that have been passed and signed into law. Seven of those laws are currently in effect with active enforcement by state regulators. By this time next year (July 2025) an additional eight states will be in effect. Below is a chart of the current state laws and their effective dates.
| Effective Date | States |
| January 1, 2020 | California |
| January 1, 2023 | Virginia |
| July 1, 2023 | Colorado, Connecticut |
| December 31, 2023 | Utah |
| July 1, 2024 | Oregon, Texas |
| October 1, 2024 | Montana |
| January 1, 2025 | Delaware, Iowa, Nebraska, New Hampshire |
| January 15, 2025 | New Jersey |
| July 1, 2025 | Tennessee |
| July 31, 2025 | Minnesota |
| October 1, 2025 | Maryland |
| January 1, 2026 | Indiana, Kentucky, Rhode Island |
Navigating the overlapping complexities of various state privacy laws can be daunting. In an effort to help group compliance obligations, I have attempted to “bucket” the issue or obligation with the relevant states. Below is a breakdown of how each state stacks up when it comes to obligations and requirements.
| Issue | States |
| Common Rights (Access/Delete, no discrimination, notice) | All states |
| Right to Correct | All except Iowa and Utah |
| Right to Opt-Out of Processing of Sensitive Data | California |
| Right to Opt-In to Processing of Sensitive Data | CO, CT, DE, IN, KY, MD, MN, MT, NE, NH, NJ, OR, RI, TN, TX, VA |
| Right to Appeal (and mechanism to contact AG) | CO, CT, DE, IN, KY, MD, MN, MT, NE, NH, NJ, OR, RI, TN, TX, VA |
| Entity Level Exemptions | All states, except CA, CO, DE, MN, NJ, and OR |
| Allow Further Regulations | CA, CO, NJ, CT (Task Force-TBD), IN & DE (Resources Only), TX (Recommendations re changes) |
| Risk Assessments | All except Iowa and Utah |
| Private Right of Action | California only (MI, MA – on deck, VT – vetoed) |
Many of the states have more nuanced or one-off requirements that can make state specific compliance difficult without defaulting to the “lowest common denominator” approach. While this may be advisable for organizations that need to streamline their privacy compliance, it can also create compliance risks. In particular, failing to see the whole picture of how these laws interact, weave together, and diverge from each other may create blind spots as you implement these requirements. Seeing the whole picture provides a clearer understanding of how to create a privacy program that is not only compliant, but will be effective as additional laws and regulations are promulgated. Below are some additional requirements that may require a deeper dive into how to integrate these into a particular business model or vertical.
| Issue | States |
| Dark Pattern Prohibition | All except Iowa and Utah |
| Consent Definition and Obligations | All except Iowa and Utah |
| Appointment of a Chief Privacy Officer | Minnesota |
| Profiling Prohibition (Generally) | All states |
| Profiling (additional rights) | MN |
| List of Specific Third Parties Data Disclosed To | OR, MN |
| Prohibition on Processing Certain Sensitive Data | MN, MD |
| Online and Offline Practices | CA, CO (but potentially all states) |
| Data Minimization (Specifically Addressed) | CA, CO |
| Limits on Processing (“relevant and reasonably necessary”) | All states |
| Do Not Sell/Share (Includes Trackers) | All states |
When tackling privacy compliance start early and address “low hanging fruit” first—data retention, sensitive personal information, dark patterns that may exist in website flows or disclaimers, online trackers, and understand your data intake and use. Privacy governance is a multi-faceted, evolving process. The closest approximation is the old adage on how to eat an elephant . . . one bite at a time.
Focused On Privacy 
Leave a comment