Data privacy has moved from a niche legal concern to a mainstream issue that affects virtually every business that collects customer information and every consumer who uses digital services. The regulatory landscape is shifting quickly, and the gap between what federal law requires and what individual states are imposing is creating a patchwork of obligations that businesses are struggling to navigate while consumers are trying to understand what protections they actually have.
Where Federal Law Currently Stands
The United States still doesn’t have a comprehensive federal data privacy law, though that may be changing. Congress has debated various versions of federal privacy legislation for years, with proposals like the American Privacy Rights Act generating significant attention in recent sessions. The absence of federal uniformity has left states to fill the gap, producing a fragmented regulatory environment that varies dramatically depending on where a consumer lives or a business operates.
Federal sector-specific laws still apply across the board. HIPAA governs health information. COPPA protects children’s online data. FERPA covers student records. The FTC continues to use its Section 5 authority over unfair and deceptive practices to bring enforcement actions against companies with inadequate data security or misleading privacy disclosures. But those frameworks leave large areas of consumer data activity without comprehensive federal protection.
The State Law Explosion
California led the way with the California Consumer Privacy Act, which took effect in 2020 and was significantly expanded by the California Privacy Rights Act in 2023. The CPRA established the California Privacy Protection Agency as a dedicated enforcement body and added new rights including the right to correct inaccurate personal information and the right to limit use of sensitive personal data.
Other states have followed with their own frameworks. Virginia, Colorado, Connecticut, Utah, and Texas have all enacted comprehensive consumer privacy laws, and more states are moving through the legislative process. While these laws share common elements, they differ in meaningful ways including which businesses they cover, what rights they grant consumers, and how they’re enforced.
For businesses operating nationally, that patchwork creates compliance complexity that many aren’t fully prepared for. A privacy policy and data handling practice that satisfies one state’s requirements may fall short of another’s.
What Rights Consumers Have Under Current Law
In states with comprehensive privacy laws, consumers generally have the right to know what personal data a business has collected about them. They can request deletion of that data in many circumstances. They can opt out of the sale of their personal information to third parties. They can correct inaccurate information. And in some states they can limit how their sensitive data, including precise geolocation, health information, and biometric data, is used.
The practical exercise of those rights varies. Some businesses make the opt-out process genuinely accessible. Others make it difficult to find or navigate, which itself is increasingly drawing regulatory scrutiny.
Consumers who want to exercise their privacy rights need to submit requests directly to the businesses holding their data, and response timelines and processes vary. Complaints about non-compliant responses can be filed with state attorneys general or, in California, with the Privacy Protection Agency.
What Businesses Face in the Current Environment
Compliance obligations for businesses are significant and growing. Companies that collect personal data from consumers in multiple states need to understand which laws apply to them, what disclosures they’re required to make, what data processing practices are permitted or prohibited, and what technical and administrative safeguards they need to maintain.
Data breach notification requirements add another layer. Most states now require businesses to notify affected consumers within specified timeframes when a breach exposes personal information, and those requirements vary by state in terms of what triggers notification and how quickly it must occur.
Enforcement is ramping up. State attorneys general are bringing cases against companies that violate consumer privacy rights or fail to maintain adequate data security. The FTC has signaled increasing focus on data privacy as a consumer protection priority. And class action litigation under state privacy laws is generating significant exposure for businesses that collect data without adequate disclosures or consent mechanisms.
What’s Coming Next
Federal privacy legislation remains a real possibility, and if it passes with preemption provisions it could significantly simplify the compliance landscape for businesses while potentially raising the floor of protection available to consumers in states with less comprehensive laws.
Artificial intelligence is creating new privacy questions that existing frameworks weren’t designed to address. The use of personal data to train AI models, the privacy implications of AI-generated content, and the use of AI in automated decision-making are all areas where regulation is still catching up to technology.
Biometric data is drawing particular regulatory attention. Illinois’ Biometric Information Privacy Act has generated significant litigation, and other states are enacting similar protections for fingerprints, facial recognition data, and other biometric identifiers.
Stay current with the latest legal news at Information Inside Road for ongoing coverage of the regulatory and judicial developments shaping data privacy law and its effects on consumers and businesses.