Quick Hits
- Colorado joined the list of states with specific consent and policy requirements for biometric information, and new comprehensive data privacy laws are set to go into effect over the course of the next two years in twelve states: Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Rhode Island, and Tennessee.
- New data privacy laws in Oregon and Texas recently took effect on July 1, 2024.
- Although the requirements, exemptions, and precise definitions vary by state, these varying requirements include, but are not limited to, notice of data collection/use/sharing practices, certain rights for individuals pertaining to their data, opt-in and/or opt-out requirements for certain types of processing, and contractual requirements for third-party service providers processing personal data on a company’s behalf.
While these state laws seek to address the privacy risks associated with the increasing collection and processing of personal data by businesses, this increasingly complex patchwork imposes onerous and technical obligations on the collection, storage, and use of personal data. At the same time, states are rushing to enact artificial intelligence (AI) or automated decision-making laws, which are often overly broad and poorly drafted, in a kneejerk reaction to the rise of generative AI tools, such as ChatGPT. There are also other topic-specific data privacy laws governing things like electronic monitoring, biometric data, and health data at the state level.
The explosion of comprehensive data privacy legislation across the United States has created an increasingly complex patchwork of laws imposing drastically different requirements. In general, these laws address the collection, use, and disclosure of personal data. While each law varies, personal data is usually broadly defined as any information that relates to an identifiable individual, which includes obvious elements like name, contact information, government identification numbers, biometric data, and health data, but it also often includes less obvious things like IP address and device identification numbers.
The below states have comprehensive data privacy laws:
Enacted Comprehensive Privacy Laws | Pending Comprehensive Privacy Laws |
California Consumer Privacy Act (Effective January 1, 2020) | Montana Consumer Data Privacy Act (Effective October 1, 2024) |
Virginia Consumer Data Protection Act (Effective January 1, 2023) | Delaware Personal Data Privacy Act (Effective January 1, 2025) |
Colorado Privacy Act (Effective July 1, 2023) | Iowa Consumer Data Protection Act (Effective January 1, 2025) |
Connecticut Personal Data Privacy and Online Monitoring Act (Effective July 1, 2023) | Nebraska Data Privacy Act (Effective January 1, 2025) |
Utah Consumer Privacy Act (Effective December 31, 2023) | New Hampshire SB 255 (Effective January 1, 2025) |
Oregon Consumer Privacy Act (Effective July 1, 2024) | New Jersey SB 332 (Effective January 15, 2025) |
Texas Data Privacy and Security Act (Effective July 1, 2024) | Tennessee Information Protection Act (Effective July 1, 2025) |
Minnesota Consumer Data Privacy Act (Effective July 31, 2025) | |
Maryland Online Data Privacy Act (Effective October 1, 2025) | |
Rhode Island Data Transparency and Privacy Protection Act (Effective January 1, 2026) | |
Indiana Consumer Data Protection Act (Effective January 1, 2026) | |
Kentucky Consumer Data Protection Act (Effective January 1, 2026) |
Scope and Application
Subject to a few exceptions, companies that conduct business in or otherwise target their services or products to the above states may want to carefully evaluate the amount of personal information they handle relating to each state’s residents, including the information collected automatically by their websites. Businesses might want to also make sure they have a good understanding of their revenue sources and understand how much revenue is being derived from each source, as many of the comprehensive privacy laws have reduced numerical thresholds for businesses that derive a certain percentage of their revenue from the sale of personal data. The term “sale” is broader than the traditional definition and often includes certain common activities like disclosures of personal information for interest-based advertising. As a result, such activities could cause certain businesses that would not otherwise be subject to these laws to be treated as in-scope.
Businesses may want to pay attention to broadly applicable data and entity-specific exceptions baked into the laws. For example, every state except California that has passed a comprehensive privacy law has excluded employee data. To shake things up, Colorado recently passed amendments to the Colorado Privacy Act, effective July 1, 2025, to add new requirements relating to biometric information, which are similar to those of the Illinois Biometric Information Privacy Act minus the private right of action. The Colorado biometric requirements apply both in the consumer and employment context, while the rest of the law continues to exempt employment-related data. Some states also exempt small employers and government employers, and many states have drafted their privacy laws to exclude nonprofit entities entirely. Just six state comprehensive privacy laws—Colorado, Delaware, Maryland, Minnesota, New Jersey, and Oregon—apply generally to nonprofits, subject to a few limited carve-outs for nonprofits pursuing specific, enumerated missions.
Exemptions
Many states have incorporated data and entity-based exemptions for information and businesses already subject to certain forms of state and federal regulatory oversight. For example, most of the comprehensive privacy laws contain some form of exemption under the Health Insurance Portability and Accountability Act (HIPAA). In some states, including California, Colorado, Delaware, , Maryland, Minnesota, New Jersey, and Oregon, this takes the form of a HIPAA data exemption, meaning that the law applies only to information that is not already subject to HIPAA (i.e., information other than protected health information). In other states, businesses that are subject to HIPAA (covered entities and business associates) are fully exempt from compliance with the applicable comprehensive privacy law.
Similar exemptions are built into the privacy laws for data and information regulated by the Gramm-Leach-Bliley Act (GLBA) and the Federal Education Rights and Privacy Act (FERPA), among other laws. As with the HIPAA exemption discussed above, the varying nature of these exemptions means that regulated entities, like financial services companies subject to GLBA, may have differing obligations from state to state, depending on whether they are exempted from the law wholesale, or whether they are exempt only insofar as the data they are processing is protected by GLBA, which could include consumer financial data in a loan application, but would not include information the company collects from consumers through their website.
Consumer Rights and Business Obligations
The comprehensive data privacy laws, similar to the European Union’s General Data Protection Regulation (GDPR), include specific requirements for providing notice and/or obtaining consent to the collection, use, and sharing of consumers’ personal information. Businesses that are subject to comprehensive privacy laws are likely to be required to obtain opt-in (affirmative) consent for the processing of sensitive personal information, such as social security numbers, precise geolocation information, biometric data, children’s data, or information about an individual’s health, sex life, or sexual orientation. The laws likewise enumerate specific consumer rights, including but not limited to the right to know, right to access, right to deletion, right to correction, and, in some cases, opt-out rights relating to the use of personal data in furtherance of things like automated decision-making.
While these rights are largely uniform, compliance is complicated by the fact that each law contains a statutory deadline for the business to comply with a data subject’s request to exercise their rights. These deadlines vary substantially. Moreover, some states require businesses that deny requests to provide a process by which consumers may appeal the denial. As such, it is critical that businesses that are required to recognize and respond to data subject rights have an established process in place to timely recognize and acknowledge data subject requests, and to timely and appropriately respond.
Businesses should remain cognizant that most state privacy laws grant consumers the right to opt-out of targeted advertising. There are numerous ways consumers can exercise this right, including active opt-outs (i.e., opt-outs expressed by contacting the business directly or submitted through some opt-out method made available by the business, such as a portal on their website) and passive opt-outs using a universal opt-out mechanism. Notably, many states require businesses to recognize passive opt-outs communicated through the Global Privacy Control, or GPC, which is a browser signal (and type of universal opt-out mechanism) that automatically communicates the web browser user’s preferred privacy settings to the website. So long as the website has been configured to detect and react to the preferences conveyed by the mechanism, the website will seamlessly record and respond to the individual’s request to limit the sharing and sale of their data.
Data Protection Impact Assessments
Several laws also include requirements that businesses that will be undertaking certain types of processing activities considered especially risky for consumers engage in data protection impact assessments (DPIAs). While the overall risk to consumers relating to processing activities should be assessed on a case-by-case basis, high-risk processing generally includes things like using personal data to engage in targeted advertising, selling personal data, profiling individuals where the profiling activities could reasonably harm the individual, such as where the profiling could cause the person to experience financial injury or discrimination, and processing sensitive personal data. The Federal Trade Commission has also indicated that it expects businesses to complete DPIAs before processing biometric data.
While the specific requirements of a DPIA vary between privacy laws, businesses that seek to engage in high-risk processing activities will generally be required to describe the project giving rise to the processing and its purpose, perform a risk-benefit analysis of the processing to justify the potential harms to consumers stemming from the processing, and explain how the organization intends to lessen the risks to consumers associated with the processing. Businesses conducting DPIAs may want consider whether personal data can be used in a de-identified or anonymized form to protect consumers better and evaluate whether the contemplated processing activities are aligned with the reasonable expectations of the data subjects. DPIAs are required to be documented and can, in some circumstances, be subject to regulatory disclosure obligations.
Next Steps
Despite the common themes in the state comprehensive privacy laws described above, we don’t call it a “patchwork” for nothing. Each of the nineteen effective or pending privacy laws contains its own nuances and potential compliance hurdles. Businesses that are or expect to soon be subject to state privacy laws may want to review their data collection, retention, protection, and data subject rights policies for personal data. They also may want to critically evaluate their current and near-term data collection, use, and disclosure activities to ensure they have a handle on what is being collected when, where it is stored, and with whom it is shared, so they know whether additional activities like a DPIA are required and to ensure they are prepared to respond to consumer inquiries as needed.
Data privacy remains an area where an ounce of prevention is worth pounds and pounds of cure.
Ogletree Deakins’ Cybersecurity and Privacy Practice Group will continue to monitor developments and will provide updates on the Cybersecurity and Privacy and State Developments blogs and as additional information becomes available.
Follow and Subscribe
LinkedIn | Instagram | Webinars | Podcasts
Benjamin Perry is of counsel in Ogletree Deakins’ Nashville office and co-chair of Ogletree Deakins’ Cybersecurity and Privacy Practice Group.
Lauren Watson is an associate in Ogletree Deakins’ Raleigh office and a member of Ogletree Deakins’ Cybersecurity and Privacy Practice Group.
Zachary V. Zagger is senior marketing counsel at Ogletree Deakins’ New York office.
This article was co-authored by Leah J. Shepherd, who is a writer in Ogletree Deakins’ Washington, D.C., office.
Follow and Subscribe