Navigating State Privacy Laws

The value of data across the globe is immense, with tangible benefits to society and businesses alike. Consistent with this value—and the explosion of information stemming from innovation and a connected economy—the past five years have been marked by increasing efforts to regulate the collection, use, sale and sharing of personal data. While these initiatives may be rooted in good intent, in reality, businesses across the globe now must navigate a maze of competing, and at times conflicting, laws and regulations to ensure privacy compliance and avoid costly fines, regulatory investigations and litigation.

Since the “new era” of privacy regulation began with passage of the European Union’s General Data Protection Regulation (GDPR) in 2018, countries such as Brazil, South Africa, and Canada have followed the GDPR’s lead and implemented updated data privacy laws. These laws all emphasize a consumer’s right to make informed choices about their personal data, require companies to be transparent about their practices, and require reasonable security standards sufficient for this complex digital age. Now, notwithstanding the potential of a comprehensive federal law in the U.S., states are taking matters into their own hands, with recent and emergent privacy-related legislation—some with extraterritorial reach—in California, Colorado, Connecticut, Delaware, Indiana, Iowa, Montana, Nebraska, Nevada, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah and Virginia.

Put differently, the patchwork quilt is expanding.

Varnum LLP’s Data Privacy and Cybersecurity Team’s national practice assists clients in connection with these new laws and we have created this guide to provide businesses with an informational roadmap for state privacy laws as of February 2025.