Episode 76 — Domain V Overview: Role of States in the U.S. Privacy Framework
State-level privacy lawmaking in the United States must be understood against the backdrop of federalism. Unlike some countries that operate under a centralized national privacy statute, the U.S. system divides authority between federal and state governments. States exercise their constitutional police powers to regulate matters affecting the health, safety, and welfare of their residents, which extends naturally into data protection and privacy. This federalism context explains why state legislatures have emerged as leaders in filling gaps left by the absence of a single, comprehensive federal privacy law. As digital technologies continue to evolve, states have used their authority to address pressing concerns such as data brokers, targeted advertising, and biometric information. While this leads to a patchwork of rules that complicates compliance, it also fosters innovation as states test different models of regulation.
Within this framework, state legislatures, regulators, and courts each play distinct roles. Legislatures pass the foundational privacy statutes, defining consumer rights and business obligations. Regulators, such as state attorneys general or specialized agencies, issue rules and provide guidance that operationalize the laws. Courts then interpret these statutes in real disputes, clarifying ambiguous provisions and shaping enforcement boundaries. For example, judicial rulings may determine how broadly to interpret “sale” of data or whether certain exemptions apply. This dynamic interplay of lawmaking, enforcement, and interpretation creates a living body of privacy governance that evolves over time. Businesses must stay attentive not only to legislative updates but also to regulatory guidance and case law that can shift compliance expectations.
State attorneys general serve as primary enforcement authorities for most state privacy statutes. They wield investigative tools such as civil investigative demands, subpoenas, and settlement negotiations. These offices often have consumer protection divisions with experience in addressing deceptive or unfair practices, and privacy enforcement extends naturally from that foundation. Attorneys general can bring actions seeking civil penalties, injunctive relief, or consent decrees that mandate ongoing compliance measures. In some states, they also coordinate with other regulators, sharing expertise and resources. This enforcement model ensures that privacy laws have practical impact, deterring misconduct and reinforcing the seriousness of compliance obligations.
California has gone further by creating a dedicated agency: the California Privacy Protection Agency. Established under the California Privacy Rights Act, this agency has independent rulemaking authority and is empowered to enforce the state’s privacy framework alongside the attorney general. Its structure mirrors European data protection authorities, signaling a shift toward specialized oversight in U.S. privacy law. The agency’s mandate includes issuing regulations, conducting audits, and educating consumers about their rights. For businesses, this means not only stricter oversight but also greater availability of guidance on how to comply. California’s model may influence other states considering dedicated privacy regulators in the future.
Most state privacy laws apply based on thresholds tied to resident counts, revenue, or data processing volume. For example, statutes may apply to businesses that process data on 100,000 or more residents or that derive a certain percentage of revenue from selling personal data. These thresholds are intended to focus regulation on larger entities with significant data operations, sparing small businesses from burdensome compliance obligations. However, the thresholds vary by state, creating complexity for organizations operating nationwide. Companies must carefully assess whether they cross thresholds in each jurisdiction, as compliance duties trigger only when applicability criteria are met.
Entity-level exemptions are another defining feature. Many state laws exclude financial institutions already covered by the Gramm-Leach-Bliley Act, health entities subject to HIPAA, and nonprofit organizations. Similarly, data-level exemptions apply to categories such as employment records, publicly available information, or de-identified datasets. These carve-outs reflect legislative choices to avoid duplicating federal regulations or overburdening certain sectors. For businesses, exemptions can simplify compliance but also create challenges when data falls partly inside and partly outside the protected categories. Careful data mapping is necessary to determine which obligations apply in mixed-use contexts.
Consumer rights portfolios form the heart of modern state privacy statutes. Common rights include access to personal data, deletion of information, correction of inaccuracies, and portability of data in a usable format. These rights mirror those found in international frameworks such as the GDPR but are adapted to U.S. contexts. Businesses must establish processes for receiving, verifying, and fulfilling consumer requests within statutory timelines. Failure to do so risks enforcement actions and consumer distrust. These rights transform abstract privacy principles into actionable entitlements that consumers can exercise directly, reshaping how businesses manage personal data.
Opt-out rights extend consumer control into areas such as data sales, cross-context behavioral advertising, and profiling. For example, consumers may have the right to opt out of targeted ads that track them across websites or to block businesses from selling their information to data brokers. These rights often require businesses to implement clear opt-out mechanisms, such as prominent links or preference centers. In some states, technical signals like browser privacy controls must also be honored. Opt-out regimes push companies to rethink data monetization strategies while enhancing transparency and consumer choice.
Consent standards vary across states but often impose heightened requirements for children and teens. Verifiable parental consent is required for processing data of younger children, while some laws introduce opt-in models for teenagers under a certain age. These provisions reflect growing concerns about how digital platforms handle minors’ data. For businesses, compliance requires not only technical mechanisms for obtaining consent but also careful communication with parents and guardians. State-level consent rules interact with federal statutes like COPPA, creating layered compliance duties that must be harmonized in practice.
Transparency obligations remain universal. State laws require businesses to provide privacy notices that explain data practices in clear, accessible language. Notices must specify what data is collected, how it is used, with whom it is shared, and for how long it is retained. Some states mandate layered disclosures, offering high-level summaries with links to detailed explanations. Transparency builds accountability by giving consumers the information they need to make informed choices. For businesses, crafting compliant notices is both a legal requirement and a reputational opportunity to demonstrate commitment to privacy.
Many state frameworks also mandate data protection assessments for high-risk processing activities. These assessments evaluate the necessity, benefits, and risks of practices such as targeted advertising, profiling, or processing sensitive categories of data. By documenting these evaluations, businesses create a record that can be reviewed by regulators or used to demonstrate accountability. Assessments also promote internal reflection, forcing organizations to weigh risks before deploying new technologies. This preventive tool shifts compliance from reactive to proactive, embedding privacy into decision-making processes.
Data processing agreements are required to govern relationships between controllers and processors. These contracts must set out roles, responsibilities, and limits on processing. Typical provisions include instructions for processing, security requirements, and audit rights. State laws mirror international trends in holding not only data controllers but also service providers accountable. For businesses, this means negotiating and updating contracts to align with statutory requirements. Strong agreements reduce ambiguity and create shared accountability across the data ecosystem, ensuring that privacy obligations extend through the supply chain.
Security program expectations also appear across state laws, often framed as requiring “reasonable safeguards.” While less prescriptive than sectoral regulations, these requirements establish baselines for protecting personal data against unauthorized access or disclosure. Reasonableness may be judged based on industry standards, organizational size, and the sensitivity of data. Employers must translate this standard into practical controls such as encryption, access management, and incident response plans. Meeting the reasonableness standard is not only about avoiding breaches but also about demonstrating diligence in protecting consumer trust.
Finally, breach notification statutes provide a universal touchpoint. Every state has laws requiring notification to affected individuals, and in many cases, regulators, when personal information is compromised. These statutes define personal information broadly, often including names paired with Social Security numbers, driver’s license numbers, or financial account details. Breach notification rules have become one of the most consistent elements of state privacy law, providing a baseline expectation for accountability. For businesses, they reinforce the need for incident response planning and highlight the reputational stakes of protecting personal data.
For more cyber related content and books, please check out cyber author dot me. Also, there are other prepcasts on Cybersecurity and more at Bare Metal Cyber dot com.
Health data has become one of the most sensitive and heavily regulated categories under state privacy laws. Recent trends include bans on geofencing around healthcare facilities, reflecting concern that location-based targeting could be used to track individuals seeking medical services. States also increasingly define health data broadly, extending protections beyond HIPAA-regulated entities to cover wellness apps, fertility trackers, and fitness platforms. Sensitive category limits require heightened safeguards and often prohibit certain uses without explicit consent. Employers and businesses must treat health data as high risk, implementing strong security controls and avoiding secondary uses that could erode trust. These measures demonstrate how states are responding to public anxiety over how personal health information is collected and exploited outside traditional healthcare settings.
Cookies and online tracking mechanisms are also in the crosshairs of state privacy laws. Several statutes require businesses to offer opt-outs from targeted advertising that relies on cross-context behavioral tracking. In practice, this means companies must provide cookie banners, preference centers, or links such as “Do Not Sell or Share My Personal Information.” Some states go further, requiring businesses to honor universal opt-out signals transmitted by browsers or plug-ins. These developments push organizations to redesign their digital marketing strategies, shifting from opaque tracking to more transparent consent or opt-out models. For consumers, the result is greater control over online profiles and advertising practices, aligning state law with broader global trends in digital privacy.
Biometric privacy statutes are another growing area. Illinois’s Biometric Information Privacy Act is the most prominent, requiring consent for biometric collection, strict retention limits, and offering a private right of action for violations. Other states are adopting similar measures, though with variations in enforcement and remedies. These laws cover identifiers such as fingerprints, face geometry, voiceprints, and retinal scans. For employers, this creates significant obligations around timekeeping systems, access control, and wellness programs that use biometric data. Noncompliance risks costly litigation, especially in states with private rights of action. Biometric rules highlight the emphasis states place on protecting immutable personal identifiers, which are both highly useful and uniquely vulnerable if misused.
Automated decision-making and artificial intelligence oversight are beginning to appear in state frameworks. Legislatures are considering requirements for transparency, bias audits, and consumer rights to opt out of profiling. These measures reflect concern that algorithms can replicate or amplify discriminatory patterns, particularly in hiring, lending, and targeted advertising. States may soon require businesses to explain how automated decisions are made and to provide human review mechanisms. Even in their early stages, these provisions signal a shift toward AI governance as part of privacy law. For organizations, this means monitoring the evolving landscape closely and preparing for future obligations that will demand explainability, fairness, and accountability in algorithmic processing.
The California Consumer Privacy Act and its amendment, the California Privacy Rights Act, remain the most comprehensive state frameworks. Core principles include expanded consumer rights, broader definitions of personal information, and detailed requirements for businesses handling large-scale data. The CPRA introduced the California Privacy Protection Agency, new obligations around sensitive data categories, and rules for automated decision-making. California’s framework often sets the pace for other states, functioning as a de facto national standard for large organizations. Businesses must understand its key provisions not only for California compliance but also as a preview of how privacy laws may evolve elsewhere.
The California Age-Appropriate Design Code adds specific protections for children and teens. Inspired by similar rules in the United Kingdom, it requires businesses that offer online services likely to be accessed by children to configure default settings with privacy in mind. This includes restrictions on profiling, location tracking, and nudging techniques that encourage data sharing. The law reflects heightened sensitivity to youth privacy in the digital era, particularly in social media and gaming contexts. Compliance requires organizations to evaluate their services from a child’s perspective, reinforcing safety and privacy by design.
Another significant development in California is the Delete Act, which expands consumer rights by requiring data brokers to register and respond to global deletion requests. Consumers can request that their personal information be deleted across multiple brokers simultaneously, reducing the burden of submitting individual requests. For businesses, the Act signals growing skepticism toward opaque data trading practices and strengthens accountability for data broker operations. The Delete Act exemplifies how states are experimenting with innovative models to rebalance power between consumers and data-driven industries.
Virginia’s Consumer Data Protection Act represents a different model, with baseline rights and controller duties similar to the GDPR but with limited enforcement mechanisms. The Act provides rights to access, delete, correct, and port data, but it restricts enforcement to the attorney general, without a private right of action. Its balanced approach appeals to businesses seeking predictability while still offering consumers meaningful rights. For organizations, Virginia’s law serves as a baseline model, simpler than California’s but part of the growing patchwork of state frameworks requiring operational alignment.
Colorado’s Privacy Act builds on Virginia’s structure but includes unique provisions, such as rules governing insurance practices and unfair discrimination. It also expands transparency obligations and grants regulators administrative audit powers. Colorado emphasizes fairness in both consumer and commercial contexts, adding layers to compliance that businesses must address. Its law illustrates how states are tailoring privacy frameworks to local policy priorities, creating variations that complicate multi-state compliance. Organizations must recognize these differences while identifying common elements across jurisdictions.
Other states, including Connecticut, Utah, and Oregon, have passed comprehensive privacy acts that mirror many of the same rights and duties. While details vary, common cores are emerging: consumer rights to access and deletion, opt-outs for targeted advertising, and requirements for data protection assessments. This harmonization trend suggests that while state laws remain diverse, they are converging on a shared set of principles. For businesses, this offers opportunities to design compliance programs around commonalities, even as they track state-specific nuances. The evolution of these laws highlights the dynamic balance between divergence and harmonization in U.S. privacy.
Enforcement provisions also vary across states. Some laws provide cure periods, allowing businesses time to correct violations before penalties apply, while others impose fines immediately. Penalty ranges can be significant, with civil penalties often in the thousands of dollars per violation. Audit powers are expanding, with agencies authorized to proactively review practices rather than waiting for complaints. These enforcement tools reinforce that state privacy laws are not symbolic—they carry teeth. Organizations must treat compliance as a proactive responsibility rather than a reactive defense against complaints.
State laws also interact with federal sectoral laws, creating preemption questions. For example, HIPAA preempts state laws that conflict with its provisions, but state laws may go further in areas HIPAA does not cover. Similarly, financial institutions governed by GLBA may be exempt from state frameworks, though exemptions are not always complete. Understanding this interplay is essential for businesses operating across industries, as compliance obligations may vary depending on the data type and sector. Navigating these boundaries requires careful legal interpretation and alignment between privacy and compliance teams.
Managing compliance across multiple states requires harmonization strategies. Businesses often adopt a “highest common denominator” approach, applying the strictest applicable standard across all jurisdictions. Others may implement modular policies, tailoring practices to state-specific requirements. Either way, operationalizing multi-state compliance requires robust data mapping, centralized governance, and ongoing monitoring of legislative updates. A harmonized model reduces complexity and helps demonstrate diligence to regulators. In this way, organizations can turn the patchwork challenge into an opportunity for program maturity and consistency.
From an exam perspective, state frameworks highlight recurring themes that connect theory to real-world practice. Common cores such as consumer rights, opt-outs, transparency, and risk assessments appear across jurisdictions. Divergent edges, such as private rights of action or child-specific protections, illustrate how states experiment with different models. Understanding these themes equips professionals to anticipate compliance obligations, design scalable programs, and recognize where harmonization is possible. The role of states in shaping privacy law reflects both the strength of U.S. federalism and the practical reality that businesses must navigate a mosaic of overlapping rules.
State privacy leadership underscores the importance of adapting programs to diverse and evolving standards. By emphasizing narrow purposes, strong security, consumer empowerment, and transparency, organizations can meet core expectations across jurisdictions while tailoring policies to specific state requirements. The result is a compliance posture that is both lawful and resilient, balancing the innovation of state leadership with the operational needs of national and global businesses. State laws may differ in detail, but together they are constructing a framework that defines privacy in the United States today.
