PRIVACY PODCAST EPISODE THREE: State of Confusion: Navigating the U.S. Privacy Law Maze
主要收获
- U.S. privacy compliance has become significantly more complex due to the rapid growth of state consumer privacy laws, each with unique thresholds, exemptions, rights, and definitions.
- California remains the most stringent and operationally impactful state, especially because it regulates business‑to‑business and employee data, unlike most other states.
- Many states follow similar patterns, but critical distinctions—such as the definition of “sale,” applicability thresholds, and treatment of sensitive data—substantially affect compliance programs.
- Two competing approaches have emerged: the “Race to the Top” (one‑size‑fits‑all) model and the “Different Strokes” (jurisdiction‑specific) framework. Most companies will land somewhere between the two.
- Even perfect compliance with state privacy laws does not shield companies from litigation risks under older, repurposed laws such as the California Invasion of Privacy Act (CIPA) and the Video Privacy Protection Act (VPPA).
- Organizations should revisit their website tracking practices, cookie consent strategies, vendor contracts, and arbitration clauses to reduce exposure to these non‑privacy‑law threats.
- The privacy landscape continues to evolve quickly, and businesses should continuously monitor developments, update internal processes, and refine compliance strategies.
导言
If you are a company operating across the United States today, you are navigating one of the most complex privacy regulatory environments in the world. Unlike the European Union, which has a single, comprehensive privacy framework in the General Data Protection Regulation (GDPR), the U.S. has no federal privacy law governing the collection and use of personal information. Instead, states have taken the lead — creating a fast‑growing, often contradictory patchwork of rules that can create compliance challenges even for sophisticated businesses with strong privacy practices.
In the State of Confusion: Navigating the U.S. Privacy Law Maze episode of Foley & Lardner’s Privacy podcast, attorneys Sam Goldstick and Alex Misakian from Foley’s Technology Transactions, Cybersecurity & Privacy Practice Group broke down this maze with clarity, humor, and practical insights. Their discussion covered the evolution of state privacy laws, the nuances that distinguish them, and the operational decisions companies must make to remain compliant. They also explored why, even when companies “get privacy right,” they are still vulnerable to lawsuits under older statutes that predate the modern internet.
The Rise of the State-Based Privacy Regime
When the GDPR took effect in 2018, it redefined expectations worldwide for data protection. That same year, California passed the California Consumer Privacy Act (CCPA) — the first comprehensive consumer privacy law in the U.S., later amended and expanded into the California Privacy Rights Act (CPRA). California’s law set the tone, and over the following years, more than 20 additional states enacted their own privacy statutes.
As Goldstick noted, the U.S. privacy landscape today is defined by similarity on the surface but divergence in the details. All these laws grant certain consumer rights — like the right to access personal data and the right to delete it — but they implement these rights differently. Each state uses its own definitions, exemptions, applicability thresholds, timelines, and obligations.
This divergence is not merely academic. It determines whether your business must comply, how operationally burdensome compliance will be, which data must be protected, and how companies must respond to consumer requests.
Despite calls for a federal privacy law, disagreements over preemption and private rights of action have stalled progress in Congress. In the absence of federal legislation, states continue to fill the void.
California: The Most Impactful State in the United States
California remains the heavyweight in U.S. privacy law. It enforces some of the strictest requirements and includes several features other states do not.
A Standalone Revenue Threshold
California is the only state whose privacy law applies when a business meets a standalone revenue threshold — $26,625,000 (inflation-adjusted from the original $25M) in annual gross revenue — regardless of how many consumers’ data it processes. This threshold means many business‑to‑business companies and non‑consumer‑facing organizations are subject to the law.
Employment and B2B Data Coverage
Most states limit their consumer privacy laws strictly to “consumers.” California applies its law to:
- 员工
- Job applicants
- Contractors
- Business representatives/contacts
This dramatically expands compliance obligations for HR teams and sales operations, especially for national companies that meet California’s applicability threshold.
Opt-Out vs. Opt-In for Sensitive Data
Many states require opt‑in consent to process sensitive data. California instead generally restricts businesses from using or disclosing residents’ “sensitive personal information” beyond those purposes specifically enumerated in the CPRA (and does not require covered businesses to obtain prior opt-in consent from individuals), making the CPRA surprisingly less stringent than the vast majority of other existing state consumer privacy laws in this respect. But in nearly every other regard — enforcement, thresholds, rights, and scope — California remains the most complex state to comply with.
For any business evaluating its privacy compliance program, understanding California’s operational impact is essential.
Baseline States: The Virginia Model and Its Variations
Outside of California, many states have enacted laws modeled on the Virginia Consumer Data Protection Act (VCDPA). These “baseline states” include:
- 弗吉尼亚州
- 印第安纳
- 肯塔基州
- 田纳西州
- 德克萨斯州
- 内布拉斯加州
- 罗德岛州
These baseline states generally provide:
- Right to access
- Right to delete
- Right to correct
- Right to portability
- Right to opt out of sales
- Right to opt out of targeted advertising (or “sharing” under the CPRA)
- Right to opt out of profiling in certain contexts
But, as Misakian explained, even these “similar” states include differences that can create major compliance challenges.
Key Distinctions Among State Privacy Laws
Definition of “Sale”
Many states adopt California’s broad definition of “sale,” which means sharing personal data for “valuable consideration”, even if no money is exchanged. Under this definition:
- Third‑party analytics
- Targeting cookies
- Pixel‑based ad tools
- Cross‑context behavioral advertising
…may be considered a “sale,” requiring specific disclosures and opt‑out rights.
Some states, however — such as Virginia and Indiana — take a narrower view, requiring monetary consideration for a sale to occur.
This single definitional difference can dramatically alter compliance strategies for cookies, pixels, and analytics tools.
Applicability Thresholds
States diverge sharply in when their laws apply.
- California: Standalone revenue threshold.
- Texas & Nebraska: No numerical thresholds; if you do business in the state and are not a small business under federal rules, the law applies.
- Others: Consumer‑count thresholds ranging from 35,000 to 175,000 residents.
Connecticut is especially notable: starting July 1, 2026, its threshold is so low that many companies will qualify unexpectedly.
豁免
Differences in exemptions create significant compliance headaches, especially for financial services, healthcare, and utilities.
Examples:
- Some states exempt GLBA‑covered financial institutions entirely.
- Others exempt only GLBA‑covered data, not the entity.
- Some exempt utilities, while others do not.
- Some exempt nonprofits, while others regulate them.
A business subject to one state’s law may be exempt from another’s, even if its operations are identical.
Consumer Rights & Timelines
Response timelines also vary:
- Some states require responses within 45 days
- Others require 30 days
- California requires a 10‑day acknowledgment in all cases
Appeal timelines differ as well, creating additional burdens for companies with high request volumes.
Data Rights Variability
Even core privacy rights differ across states.
Examples:
- Iowa offers no correction right.
- Utah does not require opt‑outs for profiling.
- Oregon and Minnesota require businesses to disclose specific third parties with whom they share information.
These variations may seem small, but they meaningfully impact operations and consumer communications.
Compliance Approaches: One-Size-Fits-All vs. Tailored Models
Goldstick and Misakian debated two primary approaches companies can take when building privacy programs.
Both approaches offer strengths and weaknesses, and most organizations will eventually land somewhere between them.
Approach One: “Race to the Top”
(One-Size-Fits-All)
This approach applies the most stringent requirements from across all applicable states to all consumers, regardless of their state of residence.
优势
- Simplifies internal operations
- Reduces risk of misclassification
- Promotes consistency across systems
- Helps future‑proof against new state laws
- Allows companies to market strong privacy protections
- Creates potential legal risk:
By voluntarily applying California rights to all consumers, companies may expose themselves to enforcement if they miss deadlines or mishandle rights requests. - May impose unnecessary obligations:
For instance, treating all consumers as if they are subject to Washington’s My Health My Data Act would require universal opt‑in consent for health data — highly impractical for many businesses.
Employees are less likely to apply the wrong rule because there is only one rule.
Challenges
- Creates potential legal risk:
By voluntarily applying California rights to all consumers, companies may expose themselves to enforcement if they miss deadlines or mishandle rights requests. - May impose unnecessary obligations:
For instance, treating all consumers as if they are subject to Washington’s My Health My Data Act would require universal opt‑in consent for health data — highly impractical for many businesses.
Approach Two: “Different Strokes for Different Folks” (Jurisdiction-Specific)
This approach builds state‑specific workflows, often supported by geolocation tools, to apply the right rules to the right consumers.
优势
- Supports flexibility where it matters
- Avoids over‑compliance
- Allows businesses in regulated industries to tailor rules for specific states
- Reduces operational burdens in states with fewer requirements
This method works well for organizations needing to preserve business agility — for example, healthcare and financial services companies, or businesses whose success depends heavily on data analytics.
Challenges
- More operationally complex
- Requires branching logic
- Higher risk of employee or system error
- Requires rigorous training and internal oversight
Regulators may also perceive inconsistency across jurisdictions as a red flag if programs are not carefully implemented.
Finding the Middle Ground
As both agreed, most companies will adopt a hybrid approach.
例如:
- Apply a uniform set of rights across most states
- But tailor obligations for outlier states like Washington or Texas
- Use a common privacy notice with addendums
- Introduce state‑specific overlays only where absolutely necessary
- Preserve flexibility where it materially impacts business operations
This approach reduces over‑compliance while avoiding the operational chaos of fully splintered programs.
The Hidden Thread: Non-Privacy-Law Lawsuits
Even perfect compliance with state privacy laws does not protect companies from exposure to an entirely separate and growing category of litigation: claims under older laws not written for modern technologies.
Two statutes in particular have become favorites of the plaintiffs’ bar.
The California Invasion of Privacy Act (CIPA)
Originally enacted in 1967 as a wiretapping law, CIPA was never intended to regulate pixels, cookies, chatbots, or web analytics. Yet plaintiffs now argue that:
- When a website uses third‑party tools like the Meta Pixel
- And those tools collect browsing or interaction data
- The website operator is “aiding and abetting” third‑party eavesdropping
This theory has resulted in hundreds of lawsuits, with statutory damages up to $5,000 per violation or three times actual damages (whichever is greater), plus injunctive relief.
Even nuisance claims can be expensive to resolve.
Although legislative efforts to modernize CIPA exist, progress has stalled. Businesses must assume these lawsuits will continue.
The Video Privacy Protection Act (VPPA)
Passed in 1988, the VPPA was designed to protect video rental records in the era of Blockbuster. Today, plaintiffs argue that:
- A user watching a video clip on a website
- Combined with third‑party tracking tools
- Equals unlawful disclosure of “viewing history”
Courts have entertained this theory, and several large settlements — including $46 million in 2024 across six major cases — show how serious the exposure can be.
Industries most at risk include:
- Media
- 零售
- 财务
- 医疗保健
- Any website with embedded video and Meta Pixel installed
POST-PODCAST UPDATE: On January 26, 2026, the U.S. Supreme Court granted certiorari in Salazar v. Paramount Global, which may provide clarity on key questions about VPPA standing and scope; until then, VPPA litigation remains a major risk vector.
Risk-Reduction Strategies for These Non-Privacy Laws
To mitigate the risk of CIPA and VPPA lawsuits, Goldstick and Misakian recommend:
- Using YouTube A‑Frame players with upfront disclosures
- Implementing robust cookie consent managers
- Conducting website tracking audits
- Reviewing contracts with vendors that receive personal data
- Ensuring arbitration clauses exist in Terms of Use
- Maintaining ongoing monitoring of legal developments
Many clients are surprised to learn what tracking tools are running on their websites. And because litigation theories shift quickly, businesses should treat this as an ongoing compliance area — not a one‑time review.
The Privacy Compliance Bottom Line
The podcast concluded with three major takeaways for organizations evaluating or maturing their privacy programs:
1. The Privacy Landscape Is Only Getting More Complicated
With over 20 comprehensive state consumer privacy laws currently in effect and more on the way, the patchwork of state privacy laws across the U.S. will remain fragmented for the foreseeable future. Companies cannot rely on federal legislation to unify the rules anytime soon.
2. Your Compliance Approach Must Fit Your Business
Whether you choose a race‑to‑the‑top approach, a tailored jurisdiction‑specific model, or a hybrid solution, the right choice depends on:
- Your operations
- Your systems
- Your risk tolerance
- Your industry
- The nature of your data
- Your internal resources
3. Even Perfect Compliance Is Not Enough
CIPA and VPPA claims create additional litigation risk, which requires separate risk‑reduction strategies beyond privacy law compliance.
结论
State consumer privacy laws have created a dynamic, often dizzying patchwork of requirements that businesses must navigate carefully. Understanding each state’s unique thresholds, definitions, exemptions, and consumer rights is foundational — but choosing the right approach for your company’s privacy program is equally important.
Whether your organization leans toward a one‑size‑fits‑all strategy, a more tailored approach, or a hybrid model, thoughtful planning and consistent execution are essential. And because legal threats increasingly arise from older statutes not designed for modern technologies, companies must review their web tracking practices, vendor relationships, and disclosures with equal rigor.
For organizations navigating this complex terrain, Foley’s Technology Transactions, Cybersecurity & Privacy Practice Group is here to help — offering practical, actionable guidance grounded in deep experience.
Interested in staying ahead of the latest privacy developments?
Listen to Foley’s Privacy Group podcast series, where our attorneys break down evolving regulations, emerging risks, and what they mean for your business.
