US State Privacy Laws: Federal v State – A Practical Guide for Organisations

The United States privacy landscape is no longer a theoretical patchwork. It is a live production environment where federal “floors” meet state “ceilings,” and your customers, employees, and regulators will judge you by the weakest seam. Federal sectoral rules still set baseline prohibitions on unfair or deceptive practices and protect health, financial, and children’s data, while state omnibus laws now dictate day-to-day operational controls like universal opt-out signals, profiling limits, and assessments. Getting it wrong costs more than fines. It burns sprint capacity on rework, slows product launches, and erodes trust that is hard to regain. This guide gives a pragmatic, repeatable approach you can automate, so compliance scales with your business rather than against it.

What does “Federal v State” mean?

Federal law sets baseline prohibitions and sector-specific requirements. State laws now add comprehensive consumer rights and technical signals that can be stricter. Where a federal rule preempts, it controls. Where it does not, the strictest applicable requirement governs. Design for the strictest common denominator, and you will lower risk and reduce rework across markets.

Why “Federal v State” Matters Now?

The US Privacy Patchwork at a Glance

Federal sectoral laws protect certain data types or industries, while a fast-growing set of state omnibus laws covers broad consumer data. Preemption debates continue in Congress, and comprehensive federal proposals have stalled. For now, businesses must operationalise a state-led model that includes universal opt-out signals, sensitive data rules, and assessments.

Who’s in Scope (and When)

• Typical thresholds include processing data about 100k residents, or lower thresholds if a large share of revenue comes from selling data. Some states, like Texas, omit a revenue floor.
• Roles matter. Controllers decide purposes and means. Processors act on documented instructions. This model appears across modern state laws.
• B2C is always in, while B2B and employee data are now covered in California since 2023. Treat workforce and vendor contacts as in scope where applicable.

Quick Wins in 30 Days

• Stand up DSAR intake with verification, tracking, and a 45-day SLA plus one extension.
• Honour GPC and other universal opt-out signals by state, starting with California, Colorado, and Connecticut.
• Establish tag governance. Inventory client-side trackers, map data flows to vendors, and apply geolocation rules to consent and opt-out behaviour.

Federal Baselines & Guardrails

FTC Act (UDAP) and “Dark Patterns”

The FTC can police unfair or deceptive acts, which include consent flows that obscure choices or subvert intent. Its 2022 staff report flagged dark patterns in choice architecture and sign-ups. Expect scrutiny of misleading “sale” or “sharing” disclosures, buried opt-outs, and ineffective toggles. Build frictionless, truthful controls and keep evidence.

Sectoral Laws (HIPAA, GLBA, COPPA, etc.)

HIPAA creates a federal floor for protected health information. More stringent state health privacy rules are not preempted if you can comply with both. GLBA imposes privacy and security obligations for financial institutions and allows stronger state standards in some cases. COPPA requires verifiable parental consent for users under 13 and has been recently tightened. When sectoral laws apply, they may displace overlapping state consumer rights for that data set.

Federal Privacy Bills (Where Things Stand)

Comprehensive bills, including APRA, stalled in 2024 and remain off the floor in 2025. Regardless of future preemption, design for durable controls now: clear rights handling, data minimisation, and accountability evidence.

State Privacy Laws – What Materially Changes by State

California (CCPA as amended by CPRA and enforced by CPPA)

Scope now includes employee and B2B data. “Sale” and “sharing” trigger opt-outs, and businesses must honour GPC. California has enforced violations, including the Sephora settlement focused on “sale” disclosures and GPC. Sensitive personal information requires additional control. Expect audits and rulemaking through the CPPA.

Virginia (VCDPA) and Utah (UCPA)

Virginia grants access, delete, correct, portability, and opt out of targeted advertising, sale, and certain profiling, with a mandatory appeals process and 45-day response timeline. Utah offers a narrower right set and an opt-out model closer to advertising and sale. Build for Virginia grade rights and appeals to cover both.

Colorado (CPA) and Connecticut (CTDPA)

Both require honouring universal opt-out signals. Colorado’s UOOM list and rules are active. Connecticut mandates honouring preference signals starting 1 Jan 2025 and has expanded teen protections. Both require assessments for high-risk processing, including targeted ads and profiling.

Other Enacted States (Iowa, Indiana, Montana, Texas, Oregon, and more)

There’s growing convergence (rights to access/correct/delete/opt-out; assessments; processor clauses), but notable outliers:

• Texas (TDPSA): Effective July 1, 2024; universal opt-out recognition by Jan 1, 2025.
• Oregon (OCPA): Broad sensitive data limits and 2025 amendments strengthening geolocation and youth protections.
• Montana: Lower thresholds and 2025 amendments trending toward stronger minors’ protections. Use a “strictest wins” control set: enable signals (GPC/UOOM), standardised DSAR, assessments for targeting/profiling/sensitive data, and vendor terms that exceed the toughest state.

Youth or Teens and Sensitive Data Trends

Common patterns include COPPA under 13 consent, California opt-in to sell or share for under 16, and several states requiring opt-in for targeted ads or sale for 13 to 16 or higher. Geofencing around health locations is restricted in Washington’s My Health My Data Act. Build age gating and “high risk” flags into data flows.

Operational Impacts Across the Organisation

Data Governance & Architecture

Maintain a living RoPA with data lineage from collection through vendors. Apply minimisation by default and enforce retention through deletion jobs and suppression tables.

Product & Engineering (Privacy by Design)

Ship privacy defaults. Bind purposes to configuration flags. Externalise consent and opt out as a service so apps call one interface while state logic evolves behind it.

Web, Analytics & AdTech

Configure your CMP to differentiate opt-out signals by state. Enforce GPC and UOOM at the edge. Prefer server-side tagging with deny lists and vendor isolation. Track data broker implications where “sale” or “sharing” may be inferred.

Sales, Legal & Procurement

Standardise DPA templates with state addenda. Bake in processor duties, subprocessor approvals, and audit rights. Set a reassessment cadence for vendors processing sensitive data or engaging in targeted advertising.

HR & Internal Data

In California, workforce data is fully in scope. Provide notices at collection, enable employee rights, and set surveillance and monitoring policies with a legitimate purpose and retention limits.

Security & Incident Response

Demonstrate “reasonable security” through framework mapping, asset and vulnerability management, and evidence of controls in operation. Run breach tabletop exercises and capture artefacts. Watch HIPAA and state health data rules if your products touch that boundary.

Compliance by Design – The Control Set You Actually Need

Data Mapping & Records of Processing (RoPA)

Build a systems-first inventory that links systems, vendors, and data elements. Keep delta logs so auditors can see when and why something changed.

DSAR Lifecycle

Offer multiple intake channels. Use risk-based identity verification. Meet the 45-day SLA, allow one extension, and provide an appeals path with documented decisions and metrics.

Consent & Preference Management

Require consent for sensitive data where mandated and for teens under applicable ages. Sync preferences across web, mobile, CRM, and CDP. Persist GPC and UOOM events with jurisdiction.

DPIAs or Risk Assessments

Trigger assessments for targeted advertising, profiling with legal or significant effects, sensitive data, and large-scale monitoring. Version the assessment, record mitigations, and capture sign off.

Vendor Risk & Contracting

Embed required clauses, purpose limitations, and assistance with consumer rights. For cross-border issues, keep TIA like analyses and supplementary measures on file.

Documentation & Evidence

Maintain policies, SOPs, decision logs, training records, and audit-ready exports. Treat your evidence repository as production-grade.

PrivacyEngine – Automating Multi-State Compliance

Automations That Remove Manual Work

• RoPA sync from data sources
• DPIA workflows with triggers on tagging or schema changes
• DSAR intake, verification, and fulfilment across systems
• Preference centre with GPC and UOOM logging and replay

Integrations with Your Stack

Connect tag managers, web or mobile SDKs, CDPs and CRMs, and data lakes. Use webhooks for suppression, erasure, and marketing opt-outs across downstream tools.

Regulator Ready Reporting

Real-time dashboards for DSAR timelines, opt-out honour rates, and change history with exportable evidence packs for audits or inquiries.

30 or 60, or 90 Day Implementation Plan

• 30: inventory, DSAR intake live, CMP configured for GPC and per state notices
• 60: vendor DPAs executed, preference sync across CRM or CDP, first DPIAs completed
• 90: KPIs and SLA proofs live, automated evidence packages in place

Operating Model, KPIs, and Budget

RACI and Decision Rights

Define a Privacy Lead or DPO equivalent, product counsel, security, marketing, HR, and engineering ownership. Tie privacy decisions to change management.

Policy Framework & Change Control

Version policies, define exceptions with expiry dates, and set retirement rules. Align releases to policy updates and regulator guidance.

KPIs & Internal Audit

Track DSAR SLA, opt-out honour rate by state, incident MTTR, and vendor reassessment cadence. Run periodic internal audits and board-level reporting.

Common Pitfalls & How to Avoid Them

Treating “Do Not Sell or Share” as a Cookie Banner Toggle

Map full data flows, including server-side sharing, offline onboarding, and matched audiences. Honour signals beyond the web layer. California and others will expect this.

Collecting Excessive Data for Identity Verification

Use risk-based verification. Avoid collecting new sensitive data solely to process rights. Purge verification artefacts on a short schedule.

One-Time Projects vs. Ongoing Programme

Treat privacy as an operational capability with monitoring and evidence. Laws change. Your system must adapt without refactoring core products each time.

Share this