More States Pass Consumer Data Privacy Laws

In the continuing absence of federal privacy legislation and in response to growing public concern over privacy rights, more states are tackling the void that exists in the area of consumer privacy protection in the United States. On the heels of Iowa’s new law, Indiana, Montana, Tennessee and Texas also have enacted consumer data privacy laws before the close of their respective 2022-23 legislative sessions.  

A comparative review of these 10 state data protection laws can be found here. It is worth noting that the following states are also considering data privacy legislation: Delaware, Maine, Massachusetts, New Hampshire, New Jersey, North Carolina, Oregon, Pennsylvania, and Rhode Island. If passed, nearly half of the U.S. states will have their own data privacy laws; however, it is possible that some or all of these laws may die on the vine as the states’ legislative sessions come to a close.

As the chart highlights, there are considerable differences among the various state data privacy laws, which will make compliance a challenge for many companies. In light of this added complexity, clients should consider a two-pronged approach to compliance: (1) review each state’s law to determine whether a company falls within the scope of the law and is therefore required to comply with it, and (2) develop a compliance program that will enable compliance with all applicable laws. It may make sense for a company to gear its compliance program to the most stringent requirements across the board, rather than trying to implement varying requirements, processes and procedures for each state.