November 8, 2024

State Privacy Laws: Key Requirements and Compliance Strategies

Learn how to navigate the complex landscape of state-level consumer privacy laws in the U.S. with insights into compliance requirements for 2025 and beyond. Understand your obligations and stay informed as more states adopt data privacy regulations.

Blog
State Privacy Laws: Key Requirements and Compliance Strategies

State Privacy Laws: Key Requirements and Compliance Strategies

With no federal consumer privacy law in place, U.S. businesses must navigate a complex framework of state-level consumer privacy laws. Currently, at least 14 states have enacted comprehensive data privacy laws, with nine of these already in effect.

In January of 2025, data privacy laws enacted in Iowa, Delaware, New Hampshire, Nebraska, and New Jersey will take effect, and those states will join California, Virginia, Colorado, Connecticut, Utah, Texas, Florida, Oregon, and Montana. On July 1, 2025, The Tennessee Information Protection Act will become effective, as will the Minnesota Consumer Data Privacy Act on July 31, 2025, and Maryland Online Data Privacy Act on October 1, 2025. On January 1, 2026, similar laws passed in Indiana, Rhode Island, and Kentucky will also take effect.

By the end of 2025, state-level consumer privacy laws will govern the personal data of nearly 150 million Americans, roughly equivalent to 43% of the U.S. population. As each state’s privacy law framework comes online, the task of compliance becomes increasingly complicated. A clear understanding of how these laws operate, including the businesses they cover, is essential.

Threshold Requirements for State-Level Consumer Privacy Laws in the U.S.

Many state consumer privacy laws are modeled on the landmark California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). Signed into law on June 8, 2018, the CCPA was the first state consumer data privacy law in existence when it first took effect on Jan. 1, 2020.

Later that same year, the CCPA was amended and expanded by the CPRA, which went into full effect on January 1, 2023. In its current form, the CPRA confers the following basic rights to California residents:

(1) the right to know what personal information is being collected about them;

(2) the right to request the deletion of their personal information;

(3) the right to correct inaccurate personal information;

(4) the right to limit the use and disclosure of sensitive personal information;

(5) the right to opt-out of the sale or sharing of their personal information; and

(6) the right to non-discrimination in service and price when they exercise their privacy rights.

The CPRA also mandates that businesses provide mechanisms for consumers to exercise these rights and respond to consumer requests in a timely manner. The CPRA’s scope includes businesses regardless of their physical presence in California, as long as they meet the specified criteria and handle the personal information of California residents.

To fall within the CPRA’s coverage, a company must offer goods or services to California residents and:

1. Have annual gross revenues in excess of $25 million, or

2. Annually purchase, receive, sell, or share for commercial purposes the personal information of 100,000 or more consumers or households, or

3. Derive 50 percent or more of its annual revenues from selling consumers' personal information

Working with the basic statutory framework established by the CPRA, other state consumer privacy laws grant similar rights to their respective state residents, although the threshold requirements that trigger coverage under these laws vary from state to state. Therefore, the first step on the road to compliance is to determine which (if any) of these laws are applicable to your business.

Determine Applicability

While most states apply their privacy laws to any company “doing business” within their borders, this is an exceedingly low bar to clear, especially since state-level consumer privacy laws in the U.S. are increasingly relevant in a world where the Internet has made physical borders virtually meaningless. However, whether a particular state’s privacy law applies to your business depends on factors such as its annual revenue, the volume of personal data it processes, and the specific purpose for which that data is used.

With the exception of Nebraska and Texas, most state privacy laws are triggered in part by the number of residents whose personal data is processed. For example, California, Colorado, and Connecticut’s laws apply to companies that annually buy, sell, or share the information of 100,000 state residents.

For other states, the trigger may be lower or may vary depending upon the purpose for which the data is used. When it takes effect on January 1, 2025, the Delaware Personal Data Privacy Act (DPDPA) will apply to companies that process data of 35,000 Delaware residents, unless they derive more than 20% of their gross revenue from personal data sales, in which case the threshold number is reduced to 10,000. The laws of Indiana, Iowa, Kentucky, and other states also include fluctuating thresholds depending upon the percentage of revenue derived from data sales.

Revisit Your Privacy Policy

Once you've determined that your company falls under one or more state-level consumer privacy laws in the U.S., the next step is to evaluate and update your privacy policy. This ensures it accurately discloses your company’s personal information practices, including how it collects, uses, shares, transfers, and stores personal information.

When doing so, be certain to review any specific requirements imposed by applicable state consumer privacy law(s), as well as guidance offered by the Federal Trade Commission, and

be certain to take the following best practice recommendations into account:

  • Ensure that the policy is written in plain and clear language.
  • Do not copy from another company’s privacy policy or use a template that does not address your actual practices.
  • Do not collect sensitive personal information unless it is absolutely necessary.
  • If collecting sensitive personal information is necessary, clarify why and explain how the business protects the data.
  • Allow consumers a cost-free way to opt out of the business using or maintaining their personal information.
  • Make the privacy policy posted on your website easy to find and accessible.
  • Update the notice regularly to reflect changes and communicate changes to consumers.
  • Clearly communicate how consumers can contact the business.
  • Ensure the privacy notice matches actual business practices and train employees.

Processing Consumer Requests

Finally, you will also need to update your internal processes and develop a procedure to manage consumer requests in compliance with the specific requirements of each state. Keep in mind that some states impose more stringent standards than others with respect to data minimization principles, limitations on data use, and required data protection measures. All must be taken into consideration.

In light of the complexities involved, to ensure compliance with applicable state consumer privacy laws, consider working with a legal or privacy professional, either of whom can help identify and address any gaps or unique obligations posed by the laws of multiple states.

In the end, a structured and organized approach will help ensure you cover all the required bases, including data collection practices, disclosure requirements, opt-out mechanisms, and state-specific obligations.

State-Level Consumer Privacy Laws in the U.S.
State-Level Consumer Privacy Laws in the U.S.
Put an end to spam flags!
Reclaim control of your caller IDs and make sure your customers pick up your calls.
Start Free Trial

Recent Posts

April 19, 2023
The Ultimate Guide to Ensuring Your Calls are Displayed as "Verified Calls" by Carriers
April 19, 2023
Explaining Caller ID: What It Is and How It Works

TOPICS

Best Practices
Call Center
Caller ID Monitoring
Caller ID Remediation
Compliance
Industry Regulations
STIR/SHAKEN
STIR/SHAKEN
Telecom Technologies

Enjoy the article? Check out some related reading.

Number Verifier fixes Spam Likely
December 11, 2024
New California Law Addresses Digital Purchase Disclosures
Starting January 1, 2025, California's AB 2426 will enforce stricter Digital Purchase Disclosures, requiring sellers to clearly state when consumers are merely obtaining a revocable license rather than full ownership of digital goods. This law aims to eliminate misleading advertising practices and ensure transparency in digital transactions.
Number Verifier fixes Spam Likely
December 2, 2024
Supreme Court to Further Examine Agency Authority in TCPA Case
The Supreme Court is set to resolve a critical question regarding the Hobbs Act's requirement for district courts to defer to the FCC’s interpretation of the TCPA. This decision could reshape agency authority and impact TCPA-related litigation significantly. Businesses should stay alert as this ruling may alter compliance requirements across jurisdictions.
Number Verifier fixes Spam Likely
November 15, 2024
FTC Takes Action Against Sitejabber for Misleading Consumer Reviews
The FTC has taken action against Sitejabber, an AI-driven review platform, for publishing misleading consumer reviews. Allegedly, Sitejabber allowed businesses to inflate their star ratings and review counts through deceptive means. This case emphasizes the importance of transparency in AI-managed consumer feedback systems.
Untitled UI logotext
Join our newsletter to stay up to date on features and releases.
We care about your data in our privacy policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
INFO
Pricing
Signup
SUPPORT
Email
Phone
Privacy Policy
Terms of Use
SOCIAL
© Copyright Number Verifier | All Rights Reserved.