The Compliance Tightrope: Balancing Uniformity and Precision Across U.S. State Consumer Privacy Laws

I. Introduction

This article is designed to provide an overview of the current state consumer privacy landscape in the United States, the key distinctions among these state laws, practical compliance approaches, and actionable takeaways for operationalizing privacy programs in a fragmented regulatory environment.

Companies operating across the United States today face one of the most complex privacy regulatory environments in the world. Unlike the European Union, which adopted a single, comprehensive framework in the General Data Protection Regulation (“GDPR”), the United States has no federal omnibus consumer privacy law governing the collection and use of personal information. States have filled the gap, creating a fast-growing, often contradictory patchwork of rules that challenges even the most sophisticated privacy programs. With over twenty comprehensive state consumer privacy laws now enacted and counting, understanding each state’s requirements – and choosing the right compliance strategy – is no longer optional. It is foundational to responsible data governance and, as cure periods sunset and regulators sharpen their enforcement tools, the margin for error is narrowing by the quarter.

The sections that follow trace the rise of the state-based privacy regime, examine California’s outsized role, survey the “baseline” states that have followed Virginia’s lead, identify the critical distinctions that separate these laws from one another, explore the emerging role of automated decision-making provisions, survey enforcement trends, and present two competing compliance models alongside practical guidance for harmonizing them into a cohesive program.

II. The Rise of the State-Based Privacy Regime

When the GDPR took effect on May 25, 2018, it redefined global expectations for data protection and gave individuals across the European Union a robust set of rights over their personal data. That same year, California enacted the California Consumer Privacy Act (“CCPA”), the first comprehensive consumer privacy law in the United States, which took effect on January 1, 2020. The CCPA was later amended and significantly expanded by the California Privacy Rights Act (“CPRA”), which California voters approved as a ballot initiative in November 2020 and which took full effect on January 1, 2023.¹

California’s law set the tone. Over the following years, more than twenty additional states enacted their own comprehensive consumer privacy statutes.² Each of these laws grants consumers some version of the core rights that have become standard in the modern privacy lexicon – access, deletion, correction, portability, and the ability to opt out of certain processing activities. But while these laws share surface-level similarities, they diverge in critical details. Each state establishes its own definitions, exemptions, applicability thresholds, response timelines, and obligations.

These differences are not academic. They determine whether a particular business must comply at all, how operationally burdensome compliance will be, what categories of data must be protected, and how a company must respond to consumer rights requests. For organizations operating in multiple states – which, in the age of e-commerce, means most organizations of any meaningful scale – this divergence translates into tangible operational complexity.

The absence of a federal privacy law is the primary driver of this fragmentation. Despite sustained interest on Capitol Hill, disagreements over federal preemption of state laws and whether to include a private right of action have repeatedly stalled legislative efforts.³ In the absence of federal legislation, states continue to fill the void, and the patchwork continues to expand.

III. California: The Most Impactful State

California remains the single most impactful jurisdiction in U.S. privacy law. It enforces some of the strictest requirements in the country, and its law contains several features that no other state has replicated.

• A Standalone Revenue Threshold. California is the only state whose consumer privacy law applies based on a standalone annual gross revenue threshold. Under the CPRA, a business is subject to the law if it has annual gross revenues exceeding $26,625,000 – a figure that the California Privacy Protection Agency (“CPPA”) has inflation-adjusted from the original $25 million threshold.⁴ Critically, this revenue test applies regardless of the volume of California residents’ personal information in the business process. The practical effect is that many business-to-business companies, professional services firms, and other non-consumer-facing organizations are pulled into scope solely by virtue of their revenue, even if they collect or otherwise process minimal consumer data.
• Employment and B2B Data Coverage. Most state privacy laws confine their protections to “consumers,” defined narrowly as natural persons acting in a personal or household capacity – meaning that individuals acting in a commercial or employment context are generally excluded from coverage. As a result, business-to-business contacts, employees, and job applicants typically fall outside the scope of these statutes, unless a specific exception applies. Conversely, California takes a broader approach, applying its law to personal information collected from or about employees, job applicants, independent contractors, and business representatives and contacts who reside in that State.⁵ This dramatically expands compliance obligations for human resources departments, recruiting functions, and sales and business development teams – particularly for national companies that meet California’s revenue threshold.
• The Sensitive Data Paradox. One of the more counterintuitive features of the CPRA is its treatment of sensitive personal information. The majority of the other state consumer privacy laws require businesses to obtain opt-in consent before processing sensitive data, such as biometric identifiers, precise geolocation, health- or medical-related details, or information about racial or ethnic origin, among other sensitive data elements.⁶ California, by contrast, does not require prior opt-in consent. Instead, the CPRA restricts businesses from using or disclosing “sensitive personal information” beyond those purposes specifically enumerated in the statute, and grants consumers the right to limit that use.⁷ In this particular respect, California is surprisingly less stringent than most of its counterparts. In nearly every other regard, however – enforcement mechanisms, applicability thresholds, the breadth of consumer rights, and the scope of covered data – California remains the most complex and operationally demanding state for privacy compliance.

For any organization evaluating or building a privacy program, understanding the full scope of California’s requirements is an essential first step.

IV. Baseline States: The Virginia Model and Its Variations

Outside of California, many states have modeled their comprehensive privacy laws on the Virginia Consumer Data Protection Act (“VCDPA”), which took effect on January 1, 2023.⁸  These “baseline” states, which include Indiana, Kentucky, Tennessee, Texas, Nebraska, and Rhode Island, among others, generally share a common architecture.

The baseline model typically provides consumers with:

• Rights to access, delete, correct, and port their personal data;
• Rights to opt out of (i) the sale of personal data, (ii) the processing of personal data for targeted advertising purposes, and (iii) in some states, certain forms of profiling; and
• Requirements that controllers conduct data protection assessments for high-risk processing activities.

This common architecture gives the appearance of uniformity. In practice, however, even these facially similar laws contain differences that create real compliance challenges. The distinctions are often found in the details — in how each state defines key terms, where it sets its applicability thresholds, what exemptions it grants, and how it structures enforcement. The sections that follow highlight the most consequential of these differences.

V. Key Distinctions Among State Privacy Laws

(a) The Definition of “Sale”

The definition of “sale” is among the most consequential variables in the state privacy landscape. California’s CPRA defines “sell” to mean the disclosure of personal information for “valuable consideration,” a formulation broad enough to capture exchanges in which no money changes hands.⁹ Under this definition, activities such as third-party analytics integrations, targeting cookies, pixel-based advertising tools, and cross-context behavioral advertising may all constitute a “sale,” triggering specific disclosure obligations and opt-out rights.

Other states, however – including Virginia and Indiana – define “sale” more narrowly, requiring that the exchange involve monetary consideration.¹⁰ This single definitional difference can dramatically alter a company’s compliance strategy with respect to cookies, tracking pixels, analytics tools, and advertising technology. A practice that constitutes a “sale” under California law requiring prominent opt-out mechanisms may fall entirely outside the scope of a narrower state’s sale provisions.

(b) Applicability Thresholds

States diverge sharply in when their privacy laws apply:

• California applies its law based on a standalone annual gross revenue threshold of $26,625,000, irrespective of consumer data volume.
• Texas and Nebraska impose no numerical consumer-count thresholds. If a business conducts operations in the state and does not qualify as a “small business” under applicable federal definitions, the law applies.¹¹
• Most other states use consumer-count thresholds, but these range widely – from as few as 35,000 residents to as many as 175,000.
• Connecticut is especially notable: effective July 1, 2026, its amended threshold will be low enough that many companies currently outside its scope will unexpectedly qualify.¹²

These threshold differences mean that a company’s applicability analysis cannot be performed once and applied universally. It must be conducted on a state-by-state basis.

(c) Exemptions

Differences in exemptions are among the most operationally significant – and most frequently overlooked – sources of complexity in multistate privacy compliance. This is particularly true for financial services companies, healthcare organizations, and utilities.

Key exemption variations include:

• Some states exempt entities that are subject to the Gramm-Leach-Bliley Act (“GLBA”)¹³ in their entirety; others exempt only the data that is subject to GLBA, leaving the entity itself within scope for non-GLBA-covered data.
• Some states exempt regulated utilities, while others do not.
• Some states exempt nonprofit organizations, while others subject them to the full weight of the law.

The result is that a company with identical operations across multiple states may be fully subject to one state’s law, partially exempt from another’s, and entirely excluded from a third’s.

(d) Consumer Rights and Response Timelines

Although the core consumer rights are broadly similar across states, the timelines for responding to consumer requests vary meaningfully. Most states require controllers to respond to consumer requests within 45 days, but several mandate a shorter 30-day window. California imposes a 10-business-day acknowledgment requirement for all requests, in addition to its substantive response deadline.¹⁴ Appeal timelines — the period within which a consumer may appeal a controller’s denial of a rights request – also differ from state to state.

For companies that receive high volumes of consumer rights requests, these timeline variations create genuine operational complexity and increase the risk of inadvertent noncompliance.

(e) Data Rights Variability

Even core privacy rights that appear in most state laws are not truly universal. For example:

• Iowa does not grant consumers the right to correct inaccurate personal data.
• Utah does not require controllers to offer an opt-out right with respect to profiling.
• Oregon and Minnesota require controllers to disclose the specific third parties – not merely categories of third parties – with whom they share consumer data.¹⁵

These variations may appear minor in isolation. In the aggregate, they meaningfully affect the design of consumer-facing communications, privacy notices, and intake workflows.

VI. Automated Decision-Making and Profiling

An area of growing importance – and one that directly intersects with the rise of artificial intelligence and machine-learning technologies – is the treatment of automated decision-making (“ADM”) and profiling under state consumer privacy laws. As this panel’s learning objectives emphasize, understanding these provisions is essential for any organization deploying algorithmic tools that affect consumers.

Several state privacy laws now grant consumers the right to opt out of profiling that produces legal or similarly significant effects.¹⁶ The specifics, however, vary. Some states define “profiling” broadly to encompass any automated processing used to evaluate, analyze, or predict aspects of an individual’s behavior, preferences, or characteristics. Others limit the opt-out right to profiling that results in decisions with concrete legal, financial, or similarly significant consequences.

Colorado’s regulations are among the most detailed in this area, establishing specific requirements for data protection assessments and consumer notification when profiling is used in connection with decisions that produce legal or similarly significant effects.¹⁷ Connecticut has also strengthened its ADM provisions. As states continue to refine their frameworks, businesses deploying AI-driven tools – including automated underwriting, content personalization, targeted advertising algorithms, and fraud detection models – should expect growing scrutiny of how those tools interact with consumer rights.

The practical takeaway is that companies cannot evaluate their AI and machine-learning deployments in isolation from their privacy compliance obligations. The same algorithmic tool that enhances operational efficiency may trigger profiling opt-out obligations, require a data protection impact assessment, or necessitate heightened consumer disclosures, depending on the state.

VII. Enforcement Regimes and Trends

Understanding state privacy laws also requires understanding how they are enforced, and here, too, the landscape is far from uniform.

• Enforcement Authority. Most state comprehensive privacy laws vest enforcement authority in the state attorney general. California is the notable exception: the CPRA created the CPPA, a dedicated regulatory body with independent rulemaking and enforcement authority – the first of its kind in the United States.¹⁸ The CPPA has been active, issuing regulations, conducting public proceedings, and initiating enforcement actions. In states without a dedicated agency, the attorney general’s office serves as both regulator and enforcer, with varying levels of resources and appetite for privacy-specific enforcement.
• Cure Periods. Many early-enacted state privacy laws included mandatory cure periods – typically 30 days – during which businesses could remedy alleged violations before facing enforcement action. Several states, however, have allowed their cure periods to sunset or have eliminated them altogether.¹⁹ Colorado, Connecticut, and Virginia initially included cure periods that have since expired or transitioned to discretionary consideration. The trend is toward stricter enforcement without a guaranteed opportunity to cure.
• Private Rights of Action. The vast majority of state consumer privacy laws do not grant consumers a private right of action; enforcement is limited to the attorney general or applicable regulatory body. California is the principal exception, providing a limited private right of action for data breaches resulting from a business’s failure to implement reasonable security measures.²⁰ Washington’s My Health My Data Act also provides a private right of action for violations involving consumer health data.²¹ The availability (or absence) of private enforcement rights significantly affects litigation exposure and, accordingly, should influence a company’s risk assessment.
• Enforcement Actions to Date. State regulators have already begun to exercise their enforcement authority. The CPPA and the California Attorney General have pursued actions against companies for alleged failures to honor opt-out requests, provide adequate privacy notices, and comply with data minimization requirements. Other states’ attorneys general have likewise signaled increasing willingness to investigate and act. Companies should treat the current enforcement environment as the floor, not the ceiling, of regulatory activity.

VIII. Compliance Approaches: “Race to the Top” vs. “State-Specific by Design”

With twenty state consumer privacy laws currently in effect, companies face a fundamental strategic question: how to structure a compliance program that addresses multiple overlapping but non-identical legal requirements. Two competing models have emerged.

(a) Approach One: “Race to the Top” (One-Size-Fits-All)

Under this approach, a company identifies the most stringent requirement from across all applicable state consumer privacy laws – whether it relates to consumer rights, response timelines, sensitive data handling, or opt-out obligations – and applies that requirement universally to all consumers, regardless of their state of residence.

(b) Approach Two: “State-Specific by Design” (Jurisdiction-Specific)

Under this approach, a company builds state-specific workflows – often supported by geolocation tools – to apply the precise legal requirements of each state to the consumers who reside there.

(c) Finding the Middle Ground

In practice, most companies will adopt a hybrid approach that draws on the strengths of both models. A common framework might apply a uniform set of consumer rights across most states – honoring the broadest access, deletion, and opt-out rights regardless of jurisdiction – while introducing state-specific overlays only where the legal requirements diverge materially. A single privacy notice with jurisdiction-specific addendums, for example, can provide consistency without the chaos of fully splintered programs. This hybrid model allows companies to reduce over-compliance in states with narrower requirements while maintaining the operational simplicity needed to scale a privacy program across the country.

IX. Practical Key Takeaways for Companies

As this panel’s learning objectives emphasize, understanding the law is only part of the challenge. Operationalizing a compliance program across more than twenty jurisdictions requires practical planning. The following takeaways are designed to bridge the gap between legal analysis and day-to-day execution.

1. Conduct a Thorough Applicability Assessment. Do not assume that a single applicability analysis covers all states. Since thresholds, exemptions, and definitions vary, a company may be in scope in one state and exempt in another. This assessment should be revisited at least annually, as states continue to amend their laws and adjust their thresholds.
2. Map Your Data Flows. Understanding what personal data the organization collects, from whom, where it flows, and with whom it is shared is a prerequisite to compliance with any state privacy law. Data mapping also supports data protection assessments, which an increasing number of states require for high-risk processing activities.
3. Evaluate Your Compliance Model Deliberately. Whether a company chooses a race-to-the-top model, a jurisdiction-specific approach, or a hybrid, the decision should be made intentionally, not by default. The right model depends on the company’s operations, systems, risk tolerance, industry, data practices, and internal resources.
4. Pay Close Attention to Sensitive Data. Because states define “sensitive data” differently and impose divergent consent requirements – opt-in in most states, use-limitation in California – companies must understand exactly what data they process that falls into a “sensitive” category and how each applicable state regulates it.
5. Build Profiling and ADM Compliance into AI Governance. Companies deploying AI and machine-learning tools should evaluate those tools against each applicable state’s profiling and automated decision-making provisions. As regulators sharpen their focus on algorithmic accountability, the intersection of privacy law and AI governance will only become more consequential.
6. Monitor Enforcement Trends. The enforcement landscape is evolving rapidly. Companies should track regulatory guidance, enforcement actions, and litigation developments as leading indicators of regulatory expectations. Early investment in monitoring pays dividends in reduced enforcement risk.
7. Invest in Training. The complexity of multistate privacy compliance makes employee training essential. Whether a company adopts a uniform or jurisdiction-specific model, front-line personnel – from customer service representatives to marketing teams to HR professionals – need to understand their obligations and how to execute them correctly.
8. Revisit and Refresh. Privacy compliance is not a one-time project. With new laws taking effect, existing laws being amended, cure periods sunsetting, and enforcement accelerating, companies should treat their privacy programs as living frameworks that require continuous attention.

X. Conclusion

The U.S. state consumer privacy landscape has reached a level of complexity that demands sustained, deliberate attention from every organization that collects personal information. Understanding each state’s unique thresholds, definitions, exemptions, consumer rights, and enforcement mechanisms is foundational. But choosing the right compliance approach – and operationalizing it effectively – is equally important.

Whether an organization leans toward a one-size-fits-all strategy, a jurisdiction-specific approach, or a hybrid model, thoughtful planning and consistent execution are essential. The practical takeaways outlined above are intended to help attendees of this panel translate the legal landscape into concrete compliance action. As states continue to legislate and regulators continue to enforce, the companies that invest in understanding and operationalizing these frameworks will be best positioned to manage risk and build trust with the consumers they serve.

For further reference, practitioners may wish to consult Foley & Lardner LLP’s U.S. State Comprehensive Consumer Data Privacy Law Comparison Chart, available at https://www.foley.com/insights/‌publications/2026/01/us-state-consumer-data-privacy-laws/.

[1] Cal. Civ. Code § 1798.100, et seq. For ease of readability, the CCPA and CPRA are collectively referred to as the CPRA.

[2] As of the date of this article, comprehensive state consumer privacy laws have been enacted in, among other states, California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Texas, Montana, Oregon, Delaware, New Hampshire, New Jersey, Nebraska, Kentucky, Maryland, Minnesota, and Rhode Island.

[3] See, e.g., American Data Privacy and Protection Act, H.R. 8152, 117th Cong. (2022) (advanced out of committee but did not receive a floor vote).

[4] Cal. Civ. Code § 1798.140(d)(1)(A); Cal. Code Regs. tit. 11, § 7001(d) (inflation-adjusted threshold).

[5] Cal. Civ. Code § 1798.140(c)(1)–(2).

[6] See, e.g., Va. Code Ann. § 59.1-578(A)(5); Colo. Rev. Stat. § 6-1-1308(7); Conn. Gen. Stat. § 42-520(a)(5).

[7] Cal. Civ. Code § 1798.121(a).

[8] Va. Code Ann. §§ 59.1-575 to 59.1-585. Other baseline states include, but are not limited to, Indiana (Ind. Code §§ 24-15-1-1 to 24-15-14-1), Kentucky (Ky. Rev. Stat. Ann. §§ 367.400–367.499), Tennessee (Tenn. Code Ann. §§ 47-18-3301 to 47-18-3313), Texas (Tex. Bus. & Com. Code §§ 541.001–541.205), Nebraska (Neb. Rev. Stat. §§ 87-1101 to 87-1116), and Rhode Island (R.I. Gen. Laws §§ 6-48.1-1 to 6-48.1-16).

[9] Cal. Civ. Code § 1798.140(ad)(1).

[10] See Va. Code Ann. § 59.1-575 (defining “sale of personal data” as an exchange of personal data “for monetary consideration” by a controller to a third party); Ind. Code § 24-15-2-17 (same).

[11] Tex. Bus. & Com. Code § 541.002(a); Neb. Rev. Stat. § 87-1103

[12] Conn. Gen. Stat. § 42-516(a) (as amended, effective July 1, 2026).

[13] 15 U.S.C. §§ 6801–6809

[14] Cal. Civ. Code § 1798.130(a)(1).

[15] See Iowa Code ch. 715D (omitting a right to correction); Utah Code Ann. §§ 13-61-101 to 13-61-404 (omitting a profiling opt-out right); Or. Rev. Stat. § 646A.578(1)(d) (requiring disclosure of specific third parties); Minn. Stat. § 325O.07, subd. 1 (similar).

[16] See, e.g., Colo. Rev. Stat. § 6-1-1306(1)(a)(IV); Conn. Gen. Stat. § 42-520(a)(6); Va. Code Ann. § 59.1-577(A)(5).

[17] 4 Colo. Code Regs. § 904-3, Rules 7-8.

[18] Cal. Civ. Code § 1798.199.10.

[19] See, e.g., Va. Code Ann. § 59.1-584(B) (30-day cure period); Colo. Rev. Stat. § 6-1-1311 (cure period sunset Jan. 1, 2025).

[20] Cal. Civ. Code § 1798.150(a)(1).

[21] Wash. Rev. Code §§ 19.373.005–19.373.900.