In an era of persistent political polarization, a noteworthy trend at the state level offers hope for those nostalgic for bipartisan cooperation: data privacy protections.
Since 2021, 19 states in all — from "blue" states such as California, Oregon, Colorado and Connecticut to "red" states such as Texas, Nebraska, Indiana, Kentucky and Montana — have enacted comprehensive privacy legislation. These laws, which will cover over half of the U.S. population as they come into effect, were not passed along party lines but rather with overwhelming bipartisan support.
In fact, many sponsors of these laws now regularly communicate with each other to discuss trends, advances and concepts, regardless of party affiliation.
The recent U.S. Federal Trade Commission report on the privacy practices of social media and video streaming services from 2019-20 captures the legislative landscape just before many of these state laws were enacted. Many of the FTC's recommendations align with existing state privacy laws, including restrictions on sensitive data collection, consumer data rights, limits on targeted advertising and profiling, and obligating businesses to implement data minimization and data protection impact assessments.
To be certain, this is not a call to halt efforts on federal legislation — to the contrary, sensible federal legislation that establishes a unified set of rules for both consumers and businesses would be widely embraced. However, in the absence of such federal action, state laws are currently filling the gap, providing essential safeguards that many skeptics fail to fully appreciate.
Consumer rights
There is nearly universal agreement among states with enacted privacy laws that consumers should have rights to control their data, consistent with the FTC's stated concerns. All these states provide for consumer data privacy rights, including the right to access data collected or shared about consumers, the right to correct incorrect or outdated personal information, the right to request deletion of personal information, the right to opt out of the sale of personal information, and the right to opt out of targeted advertising.
The scope of these rights may vary — for instance, California, Iowa and Utah require businesses to delete only the information provided by the consumer, while the rest of the states require deletion of all data concerning or obtained about the consumer. California also enacted the DELETE Act, which allows residents to request deletion of personal information from entities defined as "data brokers." However, the scope is largely consistent across state lines.
While the FTC's report noted a lack of transparency and limited consumer options for correcting or deleting data, today every state with a consumer privacy law — at minimum — grants rights to access, portability and deletion, as well as the ability to opt out of data sales and targeted advertising.
Sensitive data protections
States are addressing one of the FTC's core concerns by empowering consumers with robust control over their sensitive data through the requirement of affirmative consent before processing. This not only ensures consumers are fully informed and have explicitly authorized the collection or use of personal data — such as racial or ethnic origin, sexual orientation, biometric data, health data, and precise geolocation data — but also grants them ongoing control over how their data is used.
Businesses are prevented from using or selling sensitive information for undisclosed purposes without further consent.
These measures enhance transparency and control, directly addressing the FTC's concerns about the handling of sensitive data.
Universal opt-out mechanisms
Eleven states have enacted provisions requiring businesses to recognize universal opt-out mechanisms, enabling consumers to more easily signal their intent to opt out of data sales and targeted advertising through automated browser signals.
Colorado, under its Privacy Act, has established a public list of recognized universal opt-out mechanisms. Maintained by the Colorado Attorney General's Office, the list identifies which mechanisms meet the required standards for allowing consumers to opt out of data collection, sales and targeted advertising. Businesses are then given six months to incorporate and honor these signals. Notably, Colorado's approach, which involved public input from industry and stakeholders on opt-out signals, led to the official recognition of only one of the first three applicants.
This highlights how states are empowering consumers to automatically signal their opt-out preferences while involving stakeholders to ensure privacy and cybersecurity protections. By streamlining opt-out processes, state laws address concerns from the FTC report about complexity and lack of transparency, giving consumers greater control over their personal data.
Data protection impact assessments and data minimization
Privacy is not just about consumer-facing mechanisms such as opt outs or consent forms, it also involves internal practices that create a culture of privacy within businesses. To this end, states have significantly increased business accountability through requirements for DPIAs and data minimization.
Specifically, DPIAs require businesses to assess the risks associated with high-risk data processing activities and take steps to mitigate those risks when appropriate. These assessments are mandatory in all states except California, Utah and Iowa for businesses engaging in high-risk processing, such as profiling or handling sensitive data.
At minimum, businesses are required to document the benefits of the processing — for example, the processing of any sensitive data — to the controller, the consumer, other stakeholders and the public, against the potential risks to the rights of the consumer associated with such processing. The business then must consider the safeguards that can reduce the risks. These assessments must be documented and available to the enforcement authority during an investigation.
Additionally, all states except Utah have imposed data minimization standards, which draw from the principles outlined in the EU General Data Protection Regulation and the Fair Information Privacy Principles. These standards require businesses to collect only the data necessary for the purposes disclosed to the consumer, as long as that data is adequate, relevant and reasonably necessary. Further changes in the type of data collected or in the processing purposes require consent from the consumer.
By aligning with the FTC's call for data collection limits, transparency and risk assessments, states are ensuring businesses only collect the minimum amount of data needed and consumers are fully informed about how their data is used.
State innovation of privacy rules
While some skeptics argue state privacy laws lack "imagination," a closer, more realistic examination of these laws contradicts that notion. Moreover, for the many of us who believe federal legislation is the best approach, the need for consistency across state lines becomes even more apparent as these laws continue to evolve.
States are adopting privacy provisions that build on and work from the same framework, while creating new business obligations and consumer rights. Delaware, Minnesota, Connecticut, Colorado and Oregon have enacted solutions that extend beyond the FTC's recommendations and may well help shape the future of privacy standards:
- Minnesota grants consumers access rights to data collected by automated decision-making technologies and provides transparency about the reasoning behind automated decisions.
- Delaware prohibits processing the personal data of a consumer for purposes of targeted advertising or selling a consumer's personal data without their consent when the controller has actual knowledge or willfully disregards that the consumer is at least 13 years old but younger than 18.
- Connecticut amended its privacy bill in 2023 to include heightened restrictions on processing, sharing and selling consumer health data, as well as to provide more granular protections for children, such as flagging the use of precise geolocation tracking.
- Oregon requires controllers be able to provide the specific third parties to whom personal data has been disclosed, subject to trade-secret protections.
Toward a comprehensive privacy framework
The rise of state privacy laws has been a success story, demonstrating that meaningful privacy protections are achievable even in a politically divided environment. While the FTC report underscores the need for federal legislation to create a uniform privacy framework, state laws are leading the charge, providing robust protections and testing innovative approaches to data privacy.
In the absence of federal action, states will continue to play a critical role in shaping the future of privacy in the U.S. By building on the foundations set by state laws, federal legislation can create a comprehensive and harmonized privacy framework that protects all Americans while allowing businesses to operate with clarity and consistency across the country.
Andrew Kingman is the president of Mariner Strategies and works with various state lawmakers across the country on drafting state privacy legislation.
Willy Martinez, AIGP, CIPP/E, CIPP/US, CIPM, CIPT, FIP, is associate at Mariner Strategies.
