Data Privacy

Will state-level privacy laws drive the case for a US federal regulation?

California has been the standard bearer for US state privacy laws in recent years. But as more US states pass their own GDPR-like laws, what do these state-level laws mean in practice, what do companies have to contend with state to state, and will there eventually be a federal law that will consolidate all of this?


When lawmakers in Ohio introduced a proposal last year for a state-level privacy law, it was joining a chorus of US states that were updating their laws for greater data privacy rights.

The Ohio Personal Privacy Act is just one of the latest examples of a US state taking action on digital privacy rights and revamping their law books to reflect the modern day.

It is a wave that kickstarted with California and the California Privacy Rights Act in 2020 – which was an update on the previous law, the CCPA – which aimed to shore up protections for people and their data. The law, often dubbed a US GDPR, took many cues from its European counterpart around how data should be handled and breaches reported while introducing a host of new measures that businesses needed to comply with.

The CPRA is limited to California and whatever final form Ohio’s law takes will be within its state lines, but their reach has been wide as more states look to bolster protections for consumers and their personal information.

For advocates of greater data privacy protections, this has been a welcome development but the slew of states in the US that have followed suit have not adhered to a single template.

Laws have been passed or proposed in Colorado, Virginia and New York, each with their own tweaks and nuances. It means that the changing landscape of data protection is anything but linear and is only going to be a continuous challenge.

To continue reading this article register now