2023 was a busy year for privacy regulators in the United States, where the number of states with comprehensive consumer privacy laws increased from 5 to 12 (this excludes narrower state privacy laws such as Florida’s Digital Bill of Rights and Washington’s My Health My Data Act). On 16 January 2024, New Jersey became the 13th state to enact a comprehensive privacy law when US Senate Bill 332 was signed into law.
Without significant movement toward an omnibus federal privacy law, more states will likely enact privacy laws in the coming months, contributing to the already complex patchwork of privacy laws in the United States. Impacted organizations must build a privacy program around these laws and allocate sufficient resources to address compliance requirements.
Table 1 summarizes current comprehensive state privacy laws in the United States ordered by their effective dates.
Table 1—US Privacy Laws by State
# | State | Comprehensive State Privacy Law | Effective Date |
1 | California | California Consumer Privacy Act as amended by the California Privacy Rights Act | In effect |
2 | Virginia | Consumer Data Protection Act | In effect |
3 | Colorado | Colorado Privacy Act | In effect |
4 | Connecticut | Colorado Privacy Act | In effect |
5 | Utah | Consumer Privacy Act | In effect |
6 | Oregon |
Oregon Consumer Privacy Act | 1 July 2024 |
7 | Texas | Texas Data Privacy and Security Act | 1 July 2024 |
8 | Montana | Consumer Data Privacy Act | 1 October 2024 |
9 | Iowa | Iowa Consumer Data Protection Act | 1 January 2025 |
10 | Delaware | Delaware Personal Data Privacy Act | 1 January 2025 |
11 | New Jersey | New Jersey Data Protection Act | 15 January 2025 |
12 | Tennessee | Tennessee Information Protection Act | 1 July 2025 |
13 | Indiana | Consumer Data Protection Act | 1 January 2026 |
Roadmap to US State Law Compliance
With enforcement starting as early as 1 July 2024, it is prudent for US organizations to develop a state law compliance roadmap quickly to reduce business disruptions and allocate resources for compliance efficiently. While obligations under each US state law are similar in most respects, privacy professionals should evaluate each law individually to account for subtle nuances in privacy rights and requirements when developing a compliance program. There are several high-level steps organizations can take to achieve compliance with US state privacy laws in 2024:
- Assess applicability—Each US state privacy law has different jurisdictional thresholds to determine if an organization is covered under the law. The first step is to perform a thorough assessment, considering factors such as organization type, size, revenue, volume of state residents' data processed, type of processing performed, and exceptions granted.
- Perform a compliance readiness assessment—Map compliance requirements for the in-scope state laws to the existing privacy compliance program and evaluate any compliance gaps. An effective strategy is to leverage a regulation-agnostic framework and regulatory crosswalks such as International Organization for Standardization standard ISO 27701 or the US National Institute of Standards and Technology (NIST) Privacy Framework to facilitate this assessment and create a repeatable process. The gap assessment is the primary input into the compliance strategy and roadmap.
- Update data mapping—Create or update data inventories and data maps to determine privacy obligations and understand how personal data is collected, used, shared, or disclosed, and for what purpose. The data mapping should include certain categories of personal data (e.g., sensitive data, employee data, data of a minor) and specific use cases, such as marketing, profiling, and automated decision making based on the laws in scope.
- Revise privacy notices and policies—All 12 comprehensive US state laws require privacy notices. Update internal and external policies and notices to incorporate additional state privacy law requirements such as new privacy rights, procedures to exercise these rights, details of processing activities, and separate state law privacy sections (if required).
- Enable privacy rights—Expand privacy rights handling processes for intake, verification, tracking, fulfillment, and appeals to include new rights and response periods mandated by state privacy laws. While the US state of Iowa has a 90-day response period, other states have a 45-day response period for privacy rights. Organizations may build a one-size-fits-all program, keeping the most stringent requirements in mind to simplify compliance.
- Implement consent and opt-outs—Specific categories of personal data collection require opt-in consent, and organizations will need to build a consent management mechanism to handle consent appropriately. Several state privacy laws also require a universal opt-out mechanism, such as Global Privacy Control, which organizations must implement on all applicable surfaces.
- Enhance security safeguards—Evaluate the organization’s cybersecurity posture for protecting personal data and strengthen administrative and technical controls to comply with the new laws, emphasizing readiness for handling security breaches and implementing controls related to cookies and tracking technologies.
- Conduct risk assessments—Conduct data protection assessments for high-risk processing activities such as the sale of data, individual profiling for advertising, AI applications, and processing of sensitive data.
- Review vendor contracts—Review and, if necessary, renegotiate or amend vendor contracts and data processing agreements to comply with the new state privacy law requirements.
- Refresh privacy training—Update privacy training content for individuals tasked with facilitating privacy rights, handling privacy grievances, and managing the compliance program to reflect new state privacy law requirements. It is a best practice to periodically review and update broader, enterprise-wide privacy awareness training to ensure alignment with the evolving privacy regulatory landscape.
These steps are not specific to US state privacy laws and can also be applied more generally to prepare for other sector-specific and international privacy regulations. Laws are evolving, and many states are expected to issue additional compliance guidance in the coming months. Because privacy programs are dynamic, compliance teams should take a risk-based lens to evaluate and improve privacy compliance as new guidance becomes available and new laws are passed.
Nandita Rao Narla is the head of technical privacy and governance at DoorDash. Previously, she was a founding team member of a data profiling startup and held various leadership roles at EY, where she helped Fortune 500 companies build and mature privacy, cybersecurity, and data governance programs. She is a senior fellow at Future of Privacy Forum and serves on the advisory boards, technical standards committees, and working groups of ISACA®, International Association of Privacy Professionals (IAPP), Ethical Tech Project, X Reality Safety Initiative, Institute of Operational Privacy Design, and NIST.