Data Privacy

Will state-level privacy laws drive the case for a US federal regulation?

California has been the standard bearer for US state privacy laws in recent years. But as more US states pass their own GDPR-like laws, what do these state-level laws mean in practice, what do companies have to contend with state to state, and will there eventually be a federal law that will consolidate all of this?


When lawmakers in Ohio introduced a proposal last year for a state-level privacy law, it was joining a chorus of US states that were updating their laws for greater data privacy rights.

The Ohio Personal Privacy Act is just one of the latest examples of a US state taking action on digital privacy rights and revamping their law books to reflect the modern day.

It is a wave that kickstarted with California and the California Privacy Rights Act in 2020 – which was an update on the previous law, the CCPA – which aimed to shore up protections for people and their data. The law, often dubbed a US GDPR, took many cues from its European counterpart around how data should be handled and breaches reported while introducing a host of new measures that businesses needed to comply with.

The CPRA is limited to California and whatever final form Ohio’s law takes will be within its state lines, but their reach has been wide as more states look to bolster protections for consumers and their personal information.

For advocates of greater data privacy protections, this has been a welcome development but the slew of states in the US that have followed suit have not adhered to a single template.

Laws have been passed or proposed in Colorado, Virginia and New York, each with their own tweaks and nuances. It means that the changing landscape of data protection is anything but linear and is only going to be a continuous challenge.

It also raises a series of recurring questions for many lawmakers and businesses alike, whether it is how to comply with laws state to state, or whether it is time for federal legislation to harmonise rules across the whole country.

‘Disparate’ laws

Mark McCreary, co-chair of the privacy and data security practice at law firm Fox Rothschild, said California was instrumental in getting the ball rolling in other states. Digital rights, data protection and privacy are higher on the agenda than they have ever been before and this can be seen in the laws passed in Colorado and Virginia.

“The impact of disparate state privacy laws is already being felt by businesses,” McCreary said.

California’s law initially took the form of the CCPA and was revised to the CPRA, requiring businesses to alter their approach to compliance to meet the letter of the law. These tweaks are now taking place in different states like Colorado and Virginia and in different forms.

Todd Moore, global head of encryption products at Thales, told IDG Connect that various industries have long been contending with this lack of uniformity.

“We've counted 1,800 different global privacy laws unique around the world, and the US isn't immune to that. Each state in the US has their own viewpoint when it comes to privacy. Our customers have demanded and asked for how they can take the complexity out of, not just in the US but around the world, complying with these different regulations,” Moore said.

He said that companies in the cybersecurity space like Thales have had to respond with robust changes to their products to meet businesses’ ever-evolving needs.

McCreary added that the varying changes in states have been “manageable to date” but it remains early days in their implementation and as more states come on track, compliance could become unwieldy.

“These three laws are a preview and a cautionary tale of what may happen as additional states pass their own laws,” he explained, referring to California, Virginia, and Colorado’s laws.

“Rather, these differences can be how sensitive data is defined and treated differently, and even how behavioural advertising is regulated. While personally I am in favour of limiting dark patterns by service providers and bringing data collection and uses out of the shadows, I am not in favour of forcing businesses to comply with many different state laws that have inconsistent application.”


The lack of a national law and more and more states taking their own initiative could eventually mean 50 different frameworks, Stephen Cavey, co-founder of data protection firm Ground Labs, said.

“The variations in compliance laws mean probable inconsistent requirements around establishing legal consent and permitted use of an individual's data — and may further apply to the handling of children’s data and guardian consent,” Cavey said. “It also means there will be multiple ways permitted to sell and purchase personal data, in addition to various penalty frameworks for violations.”

This will create “complex barriers” for all businesses when it comes to respecting the privacy rights of individuals and ultimately more costs for operating in a compliant manner.

“A few examples include increased risk mitigation costs including insurance and risk regulatory penalty provisions, legal overhead cost, more third-party tools and staff hired to ensure compliance with 50 different states' privacy requirements,” he added.

This renews the calls for a federal privacy law, something that has been on the wish list for many privacy proponents for a long time. But the devil will be in the detail.

Thales’s Moore said a regulation “without any meat” behind it will result in poorer results in enforcement and protection for consumers.

Many privacy and security advocates look to the EU’s General Data Protection Regulation as a blueprint for other jurisdictions to follow. While the GDPR has presented its own fair share of issues since it came into effect in 2018, it remains a standard that others have pursued.

Moore said that there’s been acceptance of GDPR by companies regardless of where they are based or do business but it wasn’t immediate.

“It was as if we're going to wait to see who gets in trouble first. Now there's been some very high-profile lawsuits and fines for people not protecting information properly as part of GDPR, so I think that helps drive the adoption there.”

He reiterates that any new laws need to be watertight to ensure that everyone complies from the get-go.

“If you write a regulation and a law that has too many holes or ins and outs, people find a way to work around it. Bringing it back to the United States, having states that allow that and don't have a firm, strong regulation, I think companies and individuals will find ways to work around those processes, so consistency is important. I think it's a lesson learned from GDPR.”

Over the line

But all of this talk of an American GDPR is still just that, talk. Proposals and calls for a federal law have been bountiful during various administrations but it has become increasingly prominent, especially in an environment where Big Tech is under more scrutiny than ever before.

Getting such a law over the line will be no small task though.

The Future of Tech Commission, for example, is a bipartisan group that is aiming to convince US lawmakers to adopt tighter and stricter digital rules. Among its proposals is a federal privacy law but how realistic is that in the coming years?

McCreary he believes a federal law is “inevitable” but stops short of giving any time frames.

“I do have hesitation to believe that such a law is likely in this current time of incredible political polarisation, and my even recent optimism regarding such a law has waned. I do remain hopeful that this topic can be one of the few that manages bipartisan support and attention.”