The growing number of U.S. states enacting consumer data privacy legislation is creating a confusing patchwork of local laws that will pose compliance challenges for companies operating across jurisdictions. On Jan. 8, the New Jersey legislature became the 13th U.S. state to pass a consumer data privacy law. If approved by Governor Phil Murphy, the law will go into effect one year after its enactment, joining a host of similar laws passed by other states that are either already in effect or are slated to go into effect in the next two years. In 2023, Delaware, Indiana, Iowa, Montana, Oregon, Tennessee and Texas all passed data privacy laws, while California, Connecticut, Colorado, Virginia and Utah began enforcing their own state-level laws. Currently, these states' data privacy frameworks are based on either the California Consumer Privacy Act (CCPA), which entered into force in 2020, or the Washington Privacy Act (WPA), which is still being debated in the state legislature. Both the CCPA and the WPA are broadly based on the European Union's General Data Protection Regulation framework. While there is significant overlap between the frameworks, the WPA, which has become the preferred model for recent state laws, takes a much more aggressive approach toward regulating biometric data collection and largely prohibits profiling consumers via collected data. The CCPA also maintains a broader definition of personal data, including data attributable to both individuals and their households, whereas the WPA only covers individuals. 

• On Jan. 4, the New Hampshire Senate also passed a comprehensive data privacy bill that is now awaiting approval by the House and signature by the governor. If enacted, the new privacy law would go into effect on Jan. 1, 2025.
• Earlier data privacy laws, like those passed in Colorado, Virginia and Texas, are based on the CCPA model. More recent data privacy laws, including New Jersey's finalized bill and the frameworks passed in Connecticut, Delaware, Indiana, Iowa, Montana, Oregon, Tennessee and Utah, are based on the WPA model. 

As Congress remains at loggerheads over a federal consumer data privacy law, several more U.S. states will begin requiring compliance with new data privacy frameworks in 2024 after various other states began enforcing their own laws in 2023. Despite various Congressional efforts to introduce federal data privacy legislation, partisan gridlock has continuously stymied a unified framework. In the absence of federal directions, U.S. states have increasingly taken the initiative to protect their citizens' data by enacting new data compliance requirements. At various points in 2024, Montana, Oregon and Texas will all begin enforcing their data privacy laws, after California, Connecticut, Colorado, Virginia and Utah all did so in 2023. The common stipulations across these data privacy laws include rules around how companies collect, process and store data, as well as how they protect and share it. Many provisions address consumers' right to their data, including the right to access, correction, deletion, portability and opt-out options. Largely speaking, these data privacy rules uniformly regulate businesses that process the data of at least 100,000 state residents or process the data of at least 25,000 state residents but derive more than 25%-50% of their revenue from selling data. 

• Other U.S. states' frameworks will become effective in the coming years. Delaware and Iowa will begin enforcing their laws on Jan. 1, 2025. Tennessee will begin enforcement July 1, 2025, while Indiana has set its enforcement date for Jan. 1, 2026. 

While there is significant overlap between many of these new frameworks, varying specificities and enforcement timelines will pose greater compliance challenges for companies operating across state lines. Additional U.S. states, including Maine, New Hampshire and New York, also have data privacy legislation currently being discussed in legislative committees, and data privacy bills have been introduced in Kentucky and Montana as well. As new legislation enters deliberation and as many of these frameworks eventually take effect, the U.S. data privacy regulatory environment will become more stringent, broadly heightening companies' data compliance requirements. While all of these new data privacy laws largely adhere to either the CCPA or WPA model, the inclusion of specific state-level stipulations in each framework will still create headaches for companies operating across the United States as they try to comply with a growing number of similar but still nuanced data laws. Additionally, the wide variation in these laws' official enforcement dates will also put further onus on companies to be abreast of competing timelines. In preparation for these new frameworks, companies will have to invest more time and resources into their cybersecurity, compliance and legal teams to ensure all of their operations comply with each of these states' requirements. The growing proliferation of artificial intelligence (AI) tools and services — a consideration largely absent from states' current data privacy frameworks — will only further complicate compliance with state-level data laws in the coming years. In December 2023, California published draft revisions to its CPPA that aim to address more novel issues related to AI, like automated decision-making technology. As the adoption of these technologies becomes more widespread across industries, other states will also likely either amend their preexisting data laws or create new stipulations for commercialized AI use, further contributing to a complex and varied regulatory landscape.

• Many current states' data privacy frameworks set fines for noncompliance at up to $7,500 per violation.
• Some states, including California and Colorado, also offer a private right of action for citizens if they believe their data has been misused.