Have you ever wondered who’s keeping tabs on all that personal data we hand out online? You know, those pesky “Accept Cookies” pop-ups or the endless sign-up forms that seem to ask for everything but your childhood pet’s middle name. It’s easy to click “I agree” and move on with life, but sometimes it’s worth pausing to think about how the United States is handling our digital footprints.
Setting the Stage: A Patchwork of State Laws
First off, let’s acknowledge something important: there’s no single, all-encompassing federal privacy law in the U.S. Instead, we have a mixture of state-level rules plus some industry-specific federal laws. If that sounds confusing, well, that’s because it is.
As of February 2025, 20 states have passed comprehensive privacy laws. Think about that for a second—20 different sets of regulations that could apply to businesses depending on where their customers live, how much data they process, and even what type of industry they’re in. If you’re feeling a slight headache coming on, trust me, you’re not alone. My cousin, who runs a small online boutique, told me she felt like she was trying to solve a Rubik’s Cube blindfolded when she started looking into all the different state rules.
California Leads the Charge
Let’s start with California, the big kahuna of state privacy legislation. You might’ve heard of the California Consumer Privacy Act (CCPA). It basically says that if your company pulls in $25 million in global revenue, handles 100,000 consumer records, or makes 50% of its revenue from selling data, you’ve got some privacy hoops to jump through.
The CCPA was groundbreaking when it passed because it forced companies to get serious about privacy notices, consumer rights, and data processing rules. But if you think that’s all you need to worry about, I’ve got news for you: 20 states have their own privacy laws, and not all of them follow the exact same script. Some set the minimum number of records at 100,000—which, to be fair, is a pretty common benchmark—but others, like Maryland, say 35,000 records is enough to bring your company under their privacy rules.
Exemptions, Exemptions Everywhere
Now, let’s say you’re in a regulated industry, like finance or healthcare. You might be thinking, “Phew, I’m off the hook because I follow GLBA or HIPAA.” And yes, many state laws do exempt data covered by those federal rules—but (and there’s always a “but,” isn’t there?) the exemptions can vary. In California and Oregon, for example, if you’re a financial institution, you’re basically exempt at the entity level. Most other states only exempt the specific data covered by those laws, meaning any other personal data you handle—like employee info or marketing leads—could still be in the crosshairs.
Healthcare organizations also get special treatment depending on the state. Some states exempt data covered by HIPAA, while others exempt the entire entity if it’s regulated by HIPAA. Confusing? Absolutely. But that’s the way things work.
The Enforcement Wave
Ever heard the phrase “Don’t mess with Texas”? Well, Texas has been flexing its muscle by using consumer protection laws to go after companies for being “unfair and deceptive” in how they handle data. Meanwhile, New York’s attorney general has been pretty vocal, too, issuing guidelines on how companies should provide clear notice and choice when using cookies and digital trackers.
It’s not just about what’s on the books; it’s also about how states are actually enforcing these rules. Enforcement is ramping up, and it’s making companies realize that data privacy isn’t just a box to check off—it’s a real compliance risk.
AI and Privacy: What’s the Deal?
AI is shaking things up, and not just in sci-fi movies—it’s becoming a bigger part of how decisions are made, from loan approvals to job applications. Some states, like California and Colorado, are stepping in with new laws aimed at keeping AI in check—making sure it plays fair when processing data and doesn’t secretly discriminate. The FTC has also been keeping a close eye on AI, making sure companies don’t sneak around with shady data practices or mislead people about how AI is being used. There’s no big, all-encompassing federal AI privacy law yet, but regulators are making it clear—companies using AI need to be responsible with our data, or they’ll have to answer for it.
Have you ever wondered why the U.S. doesn’t just pass one big federal privacy law? So have I! Congress has tried a few times to get a universal privacy bill through, but nothing’s made it all the way. Instead, we have a bunch of sector-specific laws—like the Gramm-Leach-Bliley Act (GLBA) for financial institutions, HIPAA for healthcare, CAN-SPAM for email marketing—and the Federal Trade Commission (FTC) has authority to police unfair or deceptive acts under Section 5 of the FTC Act.
That might not sound super exciting, but the FTC has shown it can flex its muscles. If a company’s privacy policy says one thing but does another, the FTC can swoop in with enforcement actions. Think of it like a stern parent who’s been watching quietly but will ground you the minute you break curfew.
Staying Ahead in the Privacy Game
Feeling overwhelmed? Don’t worry—you’re not alone. My best advice is to start small: figure out where you stand legally, get a grip on your data, and put together a privacy plan that fits your organization’s size and scope.
Thanks for taking the time to explore the ever-evolving world of U.S. privacy laws. This topic is only growing in importance, and staying informed will help us all navigate the changing landscape of data protection.
Ad
Join our LinkedIn group Information Security Community!
