January 28, 2025

It’s Not Just CCPA/CPRA Anymore: How to Navigate Emerging State Privacy Laws

Greg Black
Greg
Black
Time to read 7 min
Privacy

Privacy laws in the United States are evolving rapidly, with states like California, Virginia, and Colorado leading the charge. Since the landmark California Consumer Privacy Act (CCPA) and its successor, the California Privacy Rights Act (CPRA), many other states have enacted their own regulations to protect consumer data.

In 2025, 18 states will enforce privacy laws, making it critical for businesses to stay informed and compliant. Below, we break down what you need to know about current and upcoming regulations, including how to navigate differences in enforcement, consumer rights, and compliance thresholds.

Professional using a smartphone with advanced data protection interface, displaying business success with privacy compliance

Key Milestones in U.S. Privacy Legislation

It’s been five years since the CCPA became a law, followed a year later by an updated version, the CPRA.

The CCPA was enacted in 2018 and became enforceable on January 1, 2020. This groundbreaking law granted consumers significant control over their personal data. It introduced rights to the ability to access, delete, and opt out of the sale of one’s data.

Building on that, the CPRA, which took effect on January 1, 2023, expanded consumer rights and created new obligations for businesses. It also established the California Privacy Protection Agency (CPPA) to oversee compliance. Key enhancements under the CPRA include:

  • The right to correct personal information
  • Expanded definitions of “sensitive personal information" with specific handling requirements
  • Stricter data minimization and purpose limitation rules

Since the enactment of the CCPA and CPRA, many other states have been working on developing, passing, and enforcing their own flavor of privacy.

First out of the gate was the state of Virginia with the Consumer Data Protection Act (CDPA) enacted in 2021 and effective January 2023. Key distinctions of the CDPA include:

  • Exemptions for certain industries, such as higher education institutions.
  • A more business-friendly approach with fewer data-handling obligations compared to California's framework.

Colorado soon followed with the Colorado Privacy Act (CPA) enacted in 2021 and effective July 2023. The CPA tried to strike a balance between consumer rights and business compliance. It required businesses to implement:

  • Universal opt-out mechanisms like Global Privacy Controls (GPC)
  • Detailed transparency regarding data collection and processing practices

The Federal Privacy Law Debate

Federal regulation is in limbo at this point. Aspects of privacy continue to be handled piecemeal, and the big question is whether federal legislation will supersede state legislation.

Existing federal frameworks, such as the Privacy Act of 1974, provide limited guidance, primarily regulating how federal agencies manage personal data. This law established Fair Information Practices (FIPs), which serve as foundational principles for privacy frameworks worldwide.

More recently, federal discussions have centered on the American Privacy Rights Act (APRA), which builds upon the American Data Privacy and Protection Act (ADPPA). Key features of APRA include:

  • Provisions for protecting minors' data
  • Guidelines for preempting state privacy laws, raising concerns over whether it would override or coexist with state frameworks
  • A focus on balancing business needs with consumer protection, particularly for small businesses

However, as mentioned above, challenges to creating a unified federal framework continue to persist. Disagreements over state law preemption, enforcement mechanisms, and scope of coverage have stalled progress. This has left businesses grappling with a patchwork of state regulations while waiting for clarity on federal standards – and holding out for federal law that provides a uniform framework may not be an option either.

State-by-State Privacy Laws: What’s Enacted and What’s Next

Not waiting for the federal government, many states have been actively discussing privacy legislation to protect the citizens of their state. Needless to say, these frameworks are created with the needs of the state first and foremost.

As of now, 18 other states have enacted their own version of privacy laws and either are in force or will be enforced soon.

In addition to California, Virginia, and Colorado, the states of Connecticut, Montana, Oregon, Texas, and Utah have enacted their own framework and have begun enforcement. Five more states, Delaware, Iowa, Nebraska, New Hampshire, and New Jersey will begin enforcement in January 2025. The timeline will be as follows:

  • Delaware – January 1, 2025
  • Iowa – January 1, 2025
  • Nebraska – January 1, 2025
  • New Hampshire – January 1, 2025
  • New Jersey – January 15, 2025
  • Tennessee – July 1, 2025
  • Minnesota – July 31, 2025
  • Maryland – October 1, 2025
  • Indiana – January 1, 2026
  • Kentucky – January 1, 2026
  • Rhode Island – January 1, 2026

Core Elements of State Privacy Framework

The frameworks being enacted all use elements of the GDPR or the APRA, or both, as their basis but include their own local flair. Entry thresholds and definitions of key terms like consumer, sale, personal data, and sensitive data can differ from state to state. Consumer rights and exempted parties also vary widely.

Each framework covers aspects of consent, rights, and security and includes elements of:

  • Privacy policy document
  • Disclosure of cookies and trackers use and disposition
  • Options for consent choices
  • Utilization of browser based universal opt-out mechanisms such as global privacy controls (GPC)
  • An explanation of rights including, in most cases, access and deletion
    • Verification is not required in some states
    • Some states offer portability and data correction
    • Some states offer “do not sell” and “do not process sensitive data” options

Different entry considerations (applicability thresholds) include:

  • Doing business in the state
  • Most have a threshold for consumer data processed except for Texas and Nebraska
  • If personal data is bought or sold
  • Exemptions for government agencies, nonprofits, institutions of higher education may exist

Compliance Challenges for Businesses

Navigating state privacy laws presents significant challenges. With each state enacting its unique privacy framework, organizations must manage complex requirements and varying enforcement approaches. And on top of that, the operational burden of compliance also becomes tricky. For example, most states leverage their attorney generals for rulemaking and enforcement. However, there are exceptions, like California, which created a Privacy Advocate Department, Colorado, which authorized assistant district attorneys to initiate action, and New Jersey, which authorized the Division of Consumer Affairs.

Definitions of key terms such as "personal data" and "consumer" also differ, with California taking a broader approach compared to Virginia's narrower interpretation. Entry thresholds further complicate matters, ranging from Colorado's 100,000-consumer requirement to Nebraska's lack of a threshold.

Enforcement mechanisms and compliance processes add to the burden. Businesses must handle diverse rules for data mapping, consent management, and employee training to meet state-specific requirements. California’s centralized enforcement contrasts with Colorado’s decentralized approach and Virginia’s mediation-first model, creating a complex compliance landscape.

To address these challenges, businesses should conduct privacy audits, adopt scalable compliance tools, and consult legal experts versed in applicable privacy laws to stay updated on evolving regulations. Partnering with experienced advisors like Americaneagle.com simplifies compliance efforts and builds trust with consumers.

What Businesses Need to Do Now

As privacy laws continue to emerge and evolve, businesses should take proactive steps to ensure compliance and protect consumer trust.

  • Consult legal experts: laws widely vary across states, so it’s essential to consult legal professionals who specialize in data privacy. They can help you identify which state laws apply to your business, interpret nuanced definitions and thresholds, and develop compliance strategies.
  • Leverage consent and rights management tools: these tools are vital for handling state-specific privacy requirements efficiently. The tools enable businesses to automate opt-in and opt-out preferences across jurisdictions, provide consumers with easy access to their data and rights, and implement universal opt-out mechanisms like global privacy controls (GPC).

The Path Forward in Privacy Compliance

Consumers are more privacy-conscious today than ever before, and businesses cannot afford to take a reactive approach to compliance. By prioritizing proactive measures, like conducting privacy audits, implementing robust consent and rights management tools, and consulting legal experts, they can navigate the complexities of state laws with confidence.

Partnering with experienced providers like Americaneagle.com ensures you have the guidance and resources needed to stay compliant while fostering consumer trust. With the right strategies in place, your business can not only mitigate risks but also position itself as a leader in data responsibility.

The path forward in privacy compliance is clear: take action now, work with trusted experts, and invest in systems that protect your business and your customers. Americaneagle.com is your website company and here to help you succeed every step of the way.

FAQs About State Privacy Laws

As we’ve learned throughout this article, state privacy laws can be confusing. Here are our responses to some frequently asked questions:

What is the difference between CCPA and CPRA?

The California Consumer Privacy Act (CCPA) was the first comprehensive privacy law in the U.S., granting consumers rights such as access to and deletion of their personal data. The California Privacy Rights Act (CPRA), which builds on the CCPA, introduces additional protections, including the right to correct personal data, stricter rules for sensitive personal information, and enhanced data minimization requirements. The CPRA also established the California Privacy Protection Agency (CPPA) to oversee enforcement.

Does my small business need to comply with privacy laws?

It depends on your state and business operations. Many state laws, like California’s CPRA, have thresholds for applicability. Some states, such as Nebraska, have no minimum threshold. We recommend you consult with legal experts to determine whether your business falls under these regulations.

How do I ensure my business complies with multiple state privacy laws?

Start with a comprehensive data audit to map out your data collection, processing, and sharing practices. Implement a consent management system that accommodates state-specific opt-in or opt-out requirements and regularly update your privacy policy to reflect evolving laws. Consulting legal experts and using tools provided by privacy compliance partners can help streamline these efforts.

Will federal privacy laws override state laws?

Right now, the answer is uncertain. If a federal privacy law is passed, it could either preempt state laws, creating a unified framework or coexist alongside them. As such, businesses should prepare for both possibilities by maintaining flexibility in their compliance strategies.

About the Author

Greg Black

Greg
Black

Greg has been with Americaneagle.com for 17+ years and has worked as a developer, account manager, project manager, and technical manager on many small and large scale websites. He is currently serving as the privacy advocate in order to educate and get the word out about privacy best practices, legislation, and compliance. On his off hours, Greg serves as Scoutmaster for a great troop of kids and enjoys teaching about camping, outdoor cooking, and orienteering.
View All Posts