
Consumer privacy legislation in the US has reached a critical turning point. With no comprehensive nationwide privacy law in place, individual states have begun enacting their own laws to safeguard consumer privacy. Currently, over 40 percent of US states have implemented consumer privacy laws, and momentum continues to grow as additional states propose and consider their own legislation.
While these new state laws share some commonalities, their unique obligations contribute to a complex compliance landscape. Furthermore, certain states are also introducing specialized privacy laws, such as those focused on consumer health data. In this chapter, we explore the current status of US state consumer privacy laws, highlight key areas of alignment and divergence, and offer predictions regarding upcoming enforcement priorities.
California was the first state to pass a comprehensive consumer privacy law, called the California Consumer Privacy Act (CCPA), in 2018. Since then, other states started to pass their own laws and the first half of 2024 saw a surge of states passing these laws; at one point, a new state law seemed to pass weekly. These state consumer privacy laws are either in effect or shortly coming into effect through 2026.
As of the end of August 2024, 20 states had passed consumer privacy laws, and two further states had passed consumer health data laws. Notably, these laws have gained support on both sides of the political aisle, from both Democrat and Republican legislators.
The chart below shows the degree of bipartisan support for these privacy laws, reflecting, in blue, the states with consumer privacy laws with Democratic-party affiliated governors, and red for states with Republican-party affiliated governors.
*Consumer health data specific laws
1. Nevada Act Relating to Data Privacy
2. Washington My Health My Data Act
Laws passed as of August 31, 2024
While there initially appeared to be momentum in Congress toward a federal privacy bill, including for the American Privacy Rights Act of 2024 (APRA) being deliberated in this 118th Congress, support for the APRA has appeared to cool and commentators now think it’s unlikely that the APRA will pass in its current form in this legislative session.
We have reached a turning point in US privacy regulation, and there is no going back: the future involves greater regulation and protection for consumers.
Christine Lyon, Partner
This means that, for the foreseeable future, the state-level privacy laws are here to stay. Notoriously, the US has 50 different state data breach laws, and in principle, we could potentially end up with 50 different state consumer privacy laws as well.
As the number of US state consumer privacy laws continues to grow, it’s crucial for companies to take proactive steps to navigate this evolving landscape.
Here are three key actions to consider:
1. Develop a Compliance Strategy: Collaborate with your business teams to create a comprehensive approach for complying with state privacy laws. With new legislation emerging regularly, having a robust privacy compliance strategy will help you establish sustainable policies and procedures.
2. Review Consumer Rights Mechanisms: Take a close look at the rights mechanisms available to consumers. This includes evaluating the methods you have in place and ensuring you’re ready to respond effectively.
Keep in mind:
- This area is under high scrutiny, with significant volumes of complaints reported by the CPPA.
- Consumer rights mechanisms are highly visible to regulators, making it easy for them to spot potential deficiencies (for example, companies receiving CCPA notices of violation for failing to include a ‘Do Not Sell or Share My Personal Information’ link on their sites).
- Prioritizing these mechanisms is essential, as they are a focal point of US state privacy laws and play a crucial role in building customer trust.
3. Educate and Engage Your Team: Share updates on new privacy laws and provide training for employees on how to handle data subject requests and the importance of compliance. Keeping your team informed and engaged is vital for fostering a culture of privacy within your organization.
2025 Data law trends