The number of states with comprehensive privacy laws is close to doubling to 10 overall this year, expanding the assortment of consumer data requirements for companies to navigate.
Iowa, Indiana, and Tennessee enacted laws in recent weeks while bills in Montana and Florida are awaiting gubernatorial action. The spate of legislative action adds to the five states that already have broad laws giving consumers more control over how companies collect and use their data.
The new measures largely follow existing state privacy approaches, though some of their specific provisions differ. State legislators have pushed wide-ranging consumer protections this year alongside narrower privacy proposals in the absence of a comprehensive federal law.
“Any time that there’s a new state privacy law that passes, we have to sit down with it and we have to ask ourselves, is it applicable to the company?” said David Saunders, partner at McDermott Will & Emery LLP. “And if it is, then the question becomes, OK, what’s different from A to B?”
Additional states will likely add to the privacy patchwork this year. Lawmakers in Texas, for instance, are working to agree on a comprehensive bill after different versions passed the House and Senate.
Differing Specifics
The new comprehensive laws follow similar frameworks to those enacted previously in Colorado, Connecticut, Virginia, and Utah. California is the only state to create a new regulatory agency to oversee its privacy law, the California Privacy Protection Agency that’s charged with rulemaking.
The laws target companies doing business and collecting data on residents in each state, though the thresholds vary to determine which companies fall under new requirements. Provisions generally give consumers the right to know what information companies are collecting and how they’re using it, as well as requiring consent or allowing them to opt out of certain uses.
“They have commonalities, but they are different,” said Odia Kagan, partner and chair of the EU General Data Protection Regulation compliance and international privacy at Fox Rothschild LLP.
Some state laws, for instance, include differing provisions for sensitive data and precise geolocation data, Kagan said. There are additional nuances such as the website disclaimers required and the treatment of targeted advertising, Saunders said.
The Iowa law takes effect Jan. 1, 2025. Tennessee follows on July 1, 2025, and Indiana’s law takes effect on Jan. 1, 2026.
Some states diverged in their privacy approaches. The Florida measure, for instance, would mostly target specific large tech companies, Saunders said. The bill awaits action by Gov. Ron DeSantis (R).
Consumer Reports, which advocates for consumer protections, has called for stronger requirements in most of the states that passed comprehensive privacy measures this year. The group criticized aspects such as the narrow applicability of the Florida measure and weak enforcement mechanisms in the Tennessee law.
A Montana measure awaiting action from Gov. Greg Gianforte (R) provides more meaningful protections, according to the group. The bill would allow consumers to use opt-out signals to express privacy preferences across multiple websites, among other elements cited as consumer-friendly by proponents.
New Reality
For companies, the impacts of the new requirements will vary depending on what privacy laws they’re already following. Some companies could have a lot to do if they’re within the scope of a state privacy law for the first time, Kagan said.
The workload will be less for companies already “taking a substantive approach to compliance” elsewhere that have approaches to issues such as limiting data collection for relevant purposes and risk assessments, she said.
“The new state pieces are not going to make that big a difference,” Kagan said.
Saunders said he works with clients subject to a new law on a gap analysis that considers how their existing privacy protections differ from a state’s requirements. National companies are already aware of the potential for additional state laws—a new reality absent federal action, he said.
“They see the writing on the wall, and they are sort of preparing and thinking about whether to do national rollouts and not wait for other states to act,” Saunders said.
To contact the reporter on this story:
To contact the editors responsible for this story: