US data privacy regulation has entered a new phase. What began as a patchwork of narrow, sector-specific rules has evolved into a fast-growing network of comprehensive state privacy laws, expanded consumer rights, and increasingly assertive enforcement. The shift is not just about the increased number of laws, it reflects broader changes in scope, expectations, and regulatory posture that are reshaping how organizations must approach data governance.
For many enterprises, privacy compliance is no longer a narrow legal exercise to prepare for, it is a cross-functional discipline tied directly to risk management, data governance, and brand trust.
From Sector Rules to State Privacy Frameworks
Historically, US privacy regulation centered on industry-focused laws, including:
- HIPAA: Safeguards healthcare data
- Gramm-Leach-Bliley Act (GLBA): Regulates financial institutions
- COPPA: Protects minors’ online data
- FCRA: Oversees credit reporting
These frameworks were not designed for the massive volumes of personal data flowing through today’s digital ecosystems, so states have stepped in to address gaps. Comprehensive privacy statutes, first popularized by California’s CCPA and CPRA, established broad consumer rights and obligations that apply across industries.
The result is a state-driven system in which multiple jurisdictions now impose overlapping requirements.
A Landscape Defined by Growth and Broader Reach
There are currently 20 states with comprehensive privacy laws enacted, and that number continues to grow. Applicability thresholds are also evolving, bringing more mid-sized organizations into scope. Privacy compliance is no longer a concern only for highly regulated industries, but retailers, manufacturers, and media companies increasingly find themselves subject to requirements.
The expansion of state-level laws means many organizations who previously assumed they were outside the reach of privacy regulations must reassess their obligations and risk exposure.
Key Trends Shaping Modern State Privacy Laws
While each state has its own unique privacy laws, but there are multiple requirements that overlap across states. These areas of overlap will ultimately require similar remediation approaches and governance solutions. Several consistent themes define the current generation of state privacy statutes:
1. Expanded definitions of sensitive data
Sensitive data categories now often include biometrics, precise geolocation, genetic information, union membership, and private communications, requiring heightened consent and security controls.
2. AI, profiling, and automated decision-making
Companies are increasingly required to disclose profiling activities and allow consumers to opt out. In certain instances, companies must avoid the use of specific data altogether, especially when minors are involved.
3. Stronger protections for children and teens
Laws increasingly restrict targeted advertising to minors, require opt-in consent before collecting or sharing minors’ data, and emphasize easily revocable consent.
4. Universal opt-out mechanisms
A growing number of states require businesses to offer universal opt-out from browsers or device, letting consumers exercise their privacy consent choices across multiple platforms with a single action.
5. Shortened or removed “right to cure” time frames
While earlier privacy laws commonly gave companies time to correct violations before incurring penalties, many newer statutes shorten or remove these grace periods.
Enforcement Actions: California Takes the Lead
Recent enforcement actions illustrate how regulators are applying privacy principles in practice.
In one of the largest penalties to date under the California Consumer Privacy Act (CCPA), the California Attorney General announced a $1.55 million settlement with Healthline, an online health and wellness platform. Regulators alleged the company used tracking tools for targeted advertising and disclosed health-related information without meeting CCPA requirements. The action also focused on purpose limitation, arguing that data was used in ways that didn’t align with the reasons it was originally collected. Beyond the financial penalty, Healthline was required to improve opt-out mechanisms, restrict sharing of article titles that could reveal diagnoses, and establish a formal compliance program with contract audits.
The California Privacy Protection Agency (CPPA) ordered Tractor Supply Company, the nation’s largest rural lifestyle retailer, to pay a $1.35 million fine and change its business practices over CCPA violations. The action focused on failures to maintain compliant privacy notices, provide effective opt-out mechanisms including preference signals, notify job applicants of their privacy rights, and ensure appropriate contractual protections with third parties. The company agreed to broad remediation measures, such as scanning its digital properties to inventory tracking technologies, and requiring a corporate officer to certify compliance annually. These measures underscore regulators’ focus on both consumer-facing transparency and internal practices.
Recent cases such as Healthline, Sephora, and DoorDash show how regulators are scrutinizing:
- How organizations use sensitive data in practice
- Whether consumer choices are meaningfully implemented
- How third-party data-sharing relationships are governed
Fragmentation and the Growing Compliance Challenge
Despite shared themes, state laws differ in important ways. Organizations must navigate variations in:
- Consent standards and opt-out models
- Definitions of personal and sensitive data
- Treatment of data “sales” and sharing
- Enforcement structures, penalties, and oversight bodies
This fragmentation creates a complex compliance environment where static policies are no longer sufficient. Privacy programs must support ongoing updates, cross-system visibility, and consistent processes for handling consumer rights.
Strategic Implications for Organizations
The expansion of privacy law, combined with rising enforcement, is pushing compliance beyond the legal department. Organizations increasingly need:
- Centralized information governance and retention from one searchable platform
- Granular access controls, immutable storage, and evidence-quality audit trails
- Complex, enterprise-wide search capabilities across all data repositories
- Visibility across all systems and classification of sensitive information
- Scalable workflows for managing consumer rights requests
- Flexible governance structures aligned with evolving regulatory definitions
Privacy is becoming a core element of enterprise risk management. Companies that treat it as an operational capability, rather than just periodic documentation, are better positioned to reduce regulatory exposure while maintaining customer trust.
Looking Ahead
State privacy regulation is likely to continue expanding and diverging, while federal standardization remains uncertain. At the same time, regulators are demonstrating that they will scrutinize how organizations handle data, especially sensitive information and advertising-related practices.
Modern privacy compliance depends on the ability to understand, manage, and control data across the entire enterprise. Organizations that invest in centralized information governance, visibility, and adaptable compliance processes will be better prepared for the next phase of privacy regulation.
