As of mid-2025, more than twenty US states have enacted comprehensive consumer privacy laws. Virginia, Colorado, Connecticut, Utah, Texas, Florida, Montana, Oregon, Delaware, Iowa, Indiana, Tennessee, and others have joined California in establishing enforceable rights around data access, correction, deletion, and opt-out from sale and targeted advertising.

The laws share a common vocabulary but differ in meaningful ways. Enforcement mechanisms range from state attorney general action to private rights of action. Applicability thresholds vary — some cover businesses that process data on 100,000 consumers, others set higher bars. Definitions of sensitive data diverge. Some states require opt-in consent for sensitive categories; others require opt-out. The exemptions for employees, business contacts, and HIPAA-covered entities are handled differently in each jurisdiction.

For a business operating across state lines — which describes most digital businesses — the result is a compliance matrix of considerable complexity. Legal teams have generally converged on a California-first strategy: build your data practices to meet CPRA, and you will be in reasonable shape for most other states. But reasonable is not the same as compliant, and the edge cases matter.

The more important trend is directional. A federal privacy law remains stalled in Congress, but the state-by-state movement has created de facto national standards in practice. Businesses that have treated consumer data rights as a compliance checkbox rather than a product design principle are finding that posture increasingly difficult to maintain.

The pressure is not going away. It is expanding.