US state privacy landscape complicates global privacy compliance

March 2026  |  SPECIAL REPORT: DATA PRIVACY & CYBER SECURITY

Financier Worldwide Magazine

March 2026 Issue

As Congress struggles to translate years of debate over a comprehensive US federal data privacy framework into law, state legislatures and attorneys general continue to drive the development of the US data privacy regulatory landscape.

While there are some federal privacy laws, these are mostly sector-specific like the Gramm-Leach-Bliley Act (GLBA) for financial institutions (FIs) or the Health Information Portability and Accountability Act (HIPAA) for certain health care entities, or narrow like the notably idiosyncratic Video Privacy Protection Act (VPPA) for companies handling audiovisual materials – a recent favourite of the plaintiff’s bar.

However, a total of 19 states have now enacted comprehensive data privacy laws that impose similar but slightly varying obligations around transparency, consumer rights, risk assessments and purpose limitations for businesses that collect and process US consumer personal data. Layered onto these comprehensive state privacy laws are more narrow state privacy laws that target only certain types of data or particular use cases.

With so many of these laws now in effect – and the potential for more on the horizon – the differences between them are creating real challenges for businesses that operate in the US. In addition, state attorneys general (AG) enforcement of these laws is significant. Businesses and those financing them need to understand when these laws apply, what they require, and how compliance can be achieved where there are meaningful variations across states.

State comprehensive privacy laws

As a trailblazer in US state privacy law, California was the first state to pass a comprehensive data privacy law, the California Consumer Privacy Act (CCPA), in 2018.

Since then, 18 other states have followed suit and implemented variations of a privacy law that establishes privacy rights for consumers such as the right to access, deletion and portability of personal data, and also requires entities to conduct data protection assessments, implement safeguards related to sensitive data, provide adequate notice of data practices and allow consumers to opt out of sales of personal data.

Although the laws share a majority of the provisions, there are some notable variations that can affect companies subject to multiple state laws. One important difference is how state comprehensive privacy laws treat GLBA exemptions: entity‑level exemptions remove Fis entirely from a law’s scope while data‑level exemptions exclude only certain data types, leaving the FI otherwise subject to regulation.

For example, the same FI handling the same data may be fully exempt from Delaware’s comprehensive privacy law, subject only to a data‑level exemption under Minnesota’s law and fully regulated without any exemption under California’s law. Statutory requirements vary as well. For example, where many laws just require an opt-in consent to handle sensitive information, Maryland not only categorically prohibits entities from selling sensitive data, but it also requires entities to only collect the “minimum data necessary” for both sensitive and general consumer data.

Companies need to think strategically about how to build compliance programmes that can work across all these variations in the state comprehensive privacy laws. Each law is enforced by its respective state AG. Some states, like California, Colorado and New Jersey, also authorise the AG to promulgate additional regulations. Only California recognises a limited private right of action in instances of a data breach.

Although no state legislatures passed new comprehensive privacy laws this past year, several states including Connecticut, Montana, Kentucky and Oregon passed meaningful amendments to their states’ existing privacy laws. The amendments enacted this year underscore two trends, including stronger protections for minors’ personal data and broader coverage of entities and data processing practices.

Data or use case specific privacy laws

Many states have also adopted more targeted state data protection laws, often aimed at specific data types or sectors, like education technology providers, consumer health and data brokers. For example, many states now have laws that are largely designed to protect minors online.

These include age-appropriate design code type laws similar to the one in the UK, age verification requirements and restrictions on social media companies. Five states (California, Maryland, Connecticut, Nebraska and Vermont) now have age-appropriate design codes, which shift responsibility onto platforms to protect minors through safer default settings and data minimising design. Notably, some of these laws focused have been challenged and blocked in the courts on first amendment free speech and other grounds.

There are also three states with consumer health privacy laws, such as Washington’s My Health My Data Act. This law established the first explicit state privacy protections for health data generated, shared, and processed outside the protections of HIPAA and has a private right of action.

Three states have laws specific to the collection and use of biometric data (beyond the requirements around this type of data subsumed into the comprehensive state privacy laws that treat biometric data as sensitive data). Meanwhile, companies that purchase or sell third-party data need to be cognisant of the laws in California, Vermont, Texas and Oregon related to data brokers that require data brokers to register with the state and impose a fee structure for non-compliance.

State AGs as key privacy regulators

Over the past several years, state AGs have emerged as central actors in the data privacy regulatory landscape through defining enforcement priorities, interpreting statutory obligations and shaping compliance expectations for businesses that handle personal data.

For example, Leticia James, New York AG, published guidance in 2024 for website privacy controls under the state’s broad consumer protection authority. Last year, William Tong, Connecticut AG, updated the state’s comprehensive privacy law enforcement report to outline a new set of enforcement priorities.

Those priorities include scrutiny of cookie banners that allegedly use dark patterns to obtain consent or obscure opt‑outs from targeted advertising, as well as stronger enforcement of statutory protections for minors under 18, including limits on targeted advertising and design features that significantly prolong minors’ time online.

Although many states actively pursue actions related to data privacy – often under the state’s consumer protection laws, commonly referred to as Unfair, Deceptive, or Abusive Acts or Practices (UDAP) laws – the state AG offices in California and Texas are particularly notable for their recent data privacy enforcement activity.

In July 2025, Rob Bonta, California AG, secured a $1.55m settlement against Healthline Media LLC for alleged failures to honour opt-out requests for targeted advertising, limit the collection of sensitive data to only what was necessary for the business and maintain privacy compliant contracts with advertisers.

This action against Healthline added to California’s growing list of privacy-related investigations and settlements, including: (i) a $1.4m settlement in 2025 with mobile app gaming company Jam City, Inc. for allegedly failing to offer consumers ways to opt out of the sharing or sale of their personal data; (ii) a $500,000 settlement in 2024 with Tilting Point Media LLC for CCPA violations related to the sharing of children’s data without consent; and (iii) a $375,000 civil penalty with injunctive terms in 2024 with Door Dash for allegedly selling customer personal data without providing notice or the ability to opt out of the sale.

In contrast to other states, Texas has relied primarily on litigation to drive privacy enforcement. In doing so, it has achieved some unexpected and historic outcomes against big tech companies. Beginning in 2022, Ken Paxton, Texas AG, brought a series of high‑profile data privacy lawsuits that positioned large‑scale data collection as both a consumer protection and national security concern.

In its ongoing litigation against TikTok, Texas alleges that the company misrepresented its data‑handling practices, particularly with respect to minors, and allowed US user data (including sensitive and behavioural information) to remain accessible to China‑based personnel. Texas also sued Google over the alleged unlawful collection of Texans’ geolocation data, biometric identifiers and browsing activity, resulting in a $1.375bn settlement.

Putting US state privacy laws in perspective

The imperative to understand and adapt to US state laws is heightened by the persistent absence of a comprehensive federal privacy statute similar to the European Union’s General Data Protection Regulation, which uniformly applies across all member states and sets forth obligations designed to safeguard the personal data of individuals in the European Economic Area.

To date, all Congressional attempts to pass a federal comprehensive data privacy law have been unsuccessful. Although the American Data Privacy and Protection Act advanced out of committee in 2022, it was never brought to a floor vote in the House of Representatives amid speculation that House leadership was reluctant to pre-empt California’s stronger privacy regime.

In 2024, Congress tried again to establish a comprehensive privacy regime with the American Privacy Rights Act, but the legislative effort stalled over disagreements about federal pre-emption of the existing state laws and some proposed revisions that removed key data protections related to algorithmic safeguards for civil rights. Any efforts along these lines in 2025 gained little traction.

It is likely to be the case that for the foreseeable future, firms doing business in the US will need to understand the importance of these state laws and keep watch on any new developments that might impact their business operations. State AG enforcement developments also underscore a broader regulatory trend: privacy obligations are not static compliance checklists but evolving standards applied through active oversight.

While a dynamic regulatory regime helps consumers, it also can create a complex net of compliance obligations, especially for companies that operate in multiple states or have data practices that have caught the eye of regulators.

In summary, the evolving landscape of US state privacy laws presents both challenges and opportunities for organisations navigating data protection requirements. As federal efforts continue to stall, the patchwork of state regulations will remain the primary framework for privacy compliance. Businesses should remain proactive in monitoring legislative changes and enforcement trends, and building flexible compliance programmes that account for state by state differences.

Ultimately, staying informed and adaptable is essential for successfully managing privacy obligations and maintaining consumer trust in this rapidly shifting environment.

Arianna Evers is a partner and Amy Olivero is a senior associate at WilmerHale. Ms Evers can be contacted on +1 (202) 663 6122 or by email: arianna.evers@wilmerhale.com. Ms Olivero can be contacted on +1 (212) 230 8850 or by email: amy.olivero@wilmerhale.com.

© Financier Worldwide

BY

Arianna Evers and Amy Olivero

WilmerHale

©2001-2026 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.