PRIVACY + SECURITY BLOG

News, Developments, and Insights

high-tech technology background with eyes on computer display

U.S. State Privacy Laws: Making Sense of the Mess

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
March 8, 2025

  U.S. State Privacy Laws: Making Sense of the Mess

The year kicked off with several privacy laws coming into effect, and there are several more scheduled to become active this year. Here’s a current list:

Iowa (January 1, 2025)
Delaware (January 1, 2025)
Nebraska (January 1, 2025)
New Hampshire (January 1, 2025)
New Jersey (January 15, 2025)
Tennessee (July 1, 2025)
Minnesota (July 31, 2025)
Maryland (October 1, 2025)

With about 20 states with a consumer privacy law (plus a growing number of subject-specific state privacy laws), the landscape is becoming unwieldy. But the laws share a lot of similarities, so it’s far from total madness.

State Privacy Law Cartoon

For more cartoons, subscribe to my free newsletter

Key Similarities and Differences

Here’s some help in cutting through the madness.

  • All state consumer privacy laws are extraterritorial
  • Unlike the GDPR, which applies to all types of entities, most state laws apply only to for-profit companies (exceptions: MN, DE, NJ, CO, OR, MD).
  • Unlike the GDPR, nearly all state privacy laws don’t apply to the government (because in the U.S., governments hate to follow rules like everyone else) .
  • Most define personal data similarly to the GDPR.
  • Unlike the GDPR, most have thresholds to exclude small business (but thresholds vary).
  • Most exclude data regulated by federal privacy laws such as HIPAA, GLBA, FCRA, and FERPA
  • Most have similar categories of sensitive data, though there are some variations. Most recognized categories include racial or ethnic origin, sexual orientation (several also include sex life), genetic or biometric data, religious beliefs, mental and physical health diagnosis (considerable variation on how this is worded), citizenship or immigration status, data collected from a child, and precise geolocation.
  • Most provide for individual rights to access, deletion, correction, data portability.
  • Most provide opt out rights for sale of data, targeted ads, profiling.
  • Most require opt in (and a PIA) for processing sensitive data (exceptions: UT, CA).
  • Most require data processing agreements.
  • Most require PIAs for targeted ads, profiling, sensitive data, sale of data, and risk of harm.
  • Most are enforced by state AGs and have fines (exception: CA is enforced by a special privacy agency).
  • Most lack a private right of action (exception: CA has a private right of action for data breaches).

Data Minimization: Maryland’s Privacy Law

The biggest outlier is Maryland, which takes a data minimization approach. The law states that collection or processing of personal data must be “reasonably necessary” to provide the product or service requested by the consumer, unless the consumer opts in to broader data use. Sensitive data requires opt in plus no data collection nor processing unless “strictly necessary” to provide the product/service. And processing beyond what is strictly necessary is prohibited – even with consent!

Privacy Laws

Subject-Specific Privacy Laws

States are also passing subject-specific privacy laws. Hot areas include:

  • Biometric data
  • Health data
  • Children’s data
  • Online content moderation
  • Education privacy

Privacy Training Circa 2025: What to Do?

You can’t train the entire workforce on all these privacy laws, so what should you do?  My recommendations:

  1. Train on key privacy principles and concepts that underpin most laws
  2. Train employees in specific roles with training relevant to them – marketing folks should get trained about marketing laws (TCPA, CAN-SPAM, CASL); engineers should be trained in privacy data data protection by designed; HR folks who handle PHI should be given HIPAA training, and so on.
  3. Train the privacy and legal teams (and others in relevant roles) with the basics of various laws. These people should learn at least the basics of how various laws work. They don’t need to become experts in each law, but should have a rough sense of the landscape.

If you want help with privacy training, I have courses and resources for all of the above – courses that synthesize privacy laws, courses on specific privacy laws, and courses on various privacy concepts (data minimization, PIAs, DSRs, data mapping, secondary use, data retention, and more).  I have whiteboards for 100+ laws that summarize each law in 1 page. Reach out if you’re interested.

US State Consumer Privacy Laws Training Course

Whiteboards US State Consumer

Button Learn More 01

 

Professor Solove’s Newsletter (free)

TeachPrivacy Newsletter

Sign up for Professor Solove’s Newsletter about his writings, whiteboards, cartoons, trainings, events, and more.

Order Prof. Solove’s forthcoming book, ON PRIVACY AND TECHNOLOGY

 

 

U.S. State Consumer Privacy Law Whiteboards

US State Consumer Privacy Law Whiteboards