With no federal data privacy law, 20+ U.S. states have enacted their own regulations, creating a complex patchwork. This fragmentation raises compliance costs, causes consumer confusion, and underscores the urgent need for national legislation.
The United States does not have a single, unified data privacy law, which has led individual states to enact their own data protection regulations – making data privacy fragmentation a real problem. As of April 2025, 20 of the 50 states have introduced data privacy laws with several more states set to join the growing list during 2025.
Because the US operates under a federal system where states’ rights often lead the way, and both the federal government and individual states have the authority to legislate in many areas, including privacy, the state of US data privacy is messy. Reaching consensus on a national standard is difficult, as stakeholders—ranging from tech companies and consumer advocates to legislators from diverse regions—have differing views on what data privacy protections should include. Disagreements over issues such as preemption (whether federal law should override state laws) and private rights of action (allowing individuals to sue for violations) further complicate the process. Without broad political agreement, attempts to pass comprehensive federal legislation have stalled, leaving a patchwork of regulations in their place.
In the absence of a federal standard, individual states have taken the lead in developing their own data privacy and consent laws, resulting in a fragmented regulatory environment.
California set the precedent with the California Consumer Privacy Act (CCPA) and its expansion under the California Privacy Rights Act (CPRA), offering residents extensive rights over their personal data. Other states, such as Virginia, Colorado, Connecticut, and Utah, have followed suit with laws tailored to their own priorities and political climates.
While these state-level laws aim to protect consumers, they also create compliance challenges for businesses operating across multiple jurisdictions. Companies must navigate varying definitions, obligations, and enforcement mechanisms, increasing legal complexity and operational costs. This growing mosaic of privacy laws highlights the urgent need for a cohesive national framework, while also underscoring the states’ roles in driving data privacy protections forward.
Unlike the European Union's General Data Protection Regulation (GDPR), the United States does not have a singular, overarching federal data privacy law. Sector-specific regulations like the Health Insurance Portability and Accountability Act (HIPAA) and the Children's Online Privacy Protection Act (COPPA) address certain areas, there is no comprehensive federal statute that governs personal data across all sectors. Naturally, this regulatory void has moved the onus for privacy laws to the individual states – which is often the preferred way of governing in the ruggedly independent US – but which also leads to complex and inconsistent legal practice across jurisdictions.
State by state, these data privacy laws vary in scope, definitions, and enforcement mechanisms, creating a challenging environment for businesses operating across state lines or globally.
California has been at the forefront of data privacy legislation. The California Consumer Privacy Act (CCPA), enacted in 2018, granted consumers rights to access, delete, and opt-out of the sale of their personal information. Building upon the CCPA, the California Privacy Rights Act (CPRA) was approved by voters in 2020, enhancing consumer rights and establishing the California Privacy Protection Agency to enforce the law. The CPRA introduced new rights, such as correcting inaccurate personal data and limiting the use of sensitive personal information.
Many of the most trailblazing interpretations and applications of privacy law have happened in California including rulings in favor of allowing CCPA-driven class action suits to proceed even in the absence of evidence of a data breach in cases where websites have allowed third-party tracking technologies, claiming that this is a form of “unauthorized disclosure”. Essentially this sets a precedent classifying privacy missteps as potentially expensive legal problems rather than confining privacy violations strictly to data breaches. Another unusual interpretation of the law involves California’s Invasion of Privacy Act (CIPA), which has typically been used to prohibit unauthorized wiretapping, but has been extended to include electronic tracking, such as cookies and pixels, as forms of invasions of privacy.
Several other states have enacted their own privacy laws, each with unique provisions:
Virginia: The Virginia Consumer Data Protection Act (VCDPA) grants consumers rights to access, correct, delete, and opt-out of the sale of personal data.
Colorado: The Colorado Privacy Act (CPA) includes provisions for data minimization, purpose specification, and consumer rights similar to those in California and Virginia.
Connecticut: The Connecticut Data Privacy Act (CTDPA) emphasizes transparency and consumer control over personal data.
Utah: The Utah Consumer Privacy Act (UCPA) focuses on consumer rights and business obligations concerning personal data.
Each of these laws reflects the respective state's priorities and approaches to data privacy, contributing to the overall patchwork of regulations.
The state-by-state approach to data privacy presents several challenges:
Businesses operating in multiple states must navigate a labyrinth of varying requirements, definitions, and enforcement mechanisms. This complexity increases compliance costs and the risk of inadvertent violations. According to a report by the Information Technology and Innovation Foundation (ITIF), the cumulative cost of complying with disparate state privacy laws could exceed $1 trillion over a decade.
For consumers, the lack of uniformity can lead to confusion about their rights and how to exercise them. Different states offer varying levels of protection and mechanisms for data control, making it challenging for individuals to understand and manage their personal information effectively. Figuring out the right approach to balance consumer and business interests is proving challenging, even more so with a patchwork of laws. After all, most surveys show that consumers want more control of their data: “The opt-in model gives consumers more control over their data upfront, but it can create friction for businesses that rely on data for their operations. While more business-friendly, the opt-out model often places the burden on consumers to protect their privacy, leading to ‘consent fatigue’.”
The fragmented regulatory environment may hinder innovation, particularly for startups and small businesses that lack the resources to manage complex compliance requirements. Additionally, inconsistent laws can create barriers to entry and limit the scalability of new technologies and services.
While states have taken tangible steps to protect their residents and consumers, the lack of a unified federal framework makes the future of data privacy murky. Achieving a balance between state autonomy and national consistency would make the most business and consumer-rights sense – but it remains to be seen if the political will can be mustered to create a unified, comprehensive data privacy regulation to cover the United States.
In the interim, businesses must remain vigilant, adapting to the dynamic regulatory environment and prioritizing transparency and consumer trust. Consumers, too, should stay informed about their rights and the protections afforded to them under various state laws.
©2025 CookieHub ehf.
