+44 (0) 121 582 0192 [email protected]


The United States is witnessing a remarkable evolution in data privacy regulation. In the absence of a comprehensive federal law, states are taking the lead in defining new frameworks for consumer data protection. In 2023 alone, five state privacy laws have already come into effect, with another five preparing to roll out soon. This patchwork approach represents the diverse legislative landscape of America, where each state addresses its unique concerns through varied policies.


Current State of Privacy Laws in the US

California remains at the forefront, with its landmark California Consumer Privacy Act (CCPA) updated with the (CPRA), closely modelled on the EU’s GDPR. This framework has significantly influenced the subsequent state laws in Colorado, Connecticut, Utah, and Virginia. Each has adopted unique nuances but draws heavily from the CCPA’s core tenets of empowering consumers with data rights and establishing businesses’ responsibilities for processing data.


In 2024, the regulatory landscape will broaden further as Washington, Oregon, Texas, Florida, and Montana implement new laws.

  1. Washington’s My Health My Data Act (Effective March 31, 2024): This pioneering legislation aims to safeguard sensitive health data, with a focus on reproductive healthcare. Emphasising consumer consent, it will set strict controls on the collection, processing, sharing, and selling of health data. This law reflects the public sentiment, with 76% of Washingtonians backing it.
  2. Oregon’s Consumer Privacy Act (Effective July 1, 2024): Extending comprehensive protection, this law targets businesses handling large volumes of consumer data and mandates transparency through required notices. It brings a wide range of consumer rights and exemptions based on business nature.
  3. Texas Data Privacy and Security Act (Effective July 1, 2024): Designed to establish comprehensive restrictions on consumer data, it includes notable exemptions for small businesses, allowing opt-out compliance until January 1, 2025.
  4. Florida Digital Bill of Rights (Effective July 1, 2024): Narrow in scope, this legislation focuses exclusively on businesses with over $1 billion in global annual revenue. Its stringent thresholds reflect Florida’s conservative economic policy.
  5. Montana Consumer Data Privacy Act (Effective October 1, 2024): Tailored to Montana’s specific needs, this act targets businesses based on their interaction with Montana consumers, applying to those with significant data volume or revenue.


The Broader Implications

These new regulations collectively impact how businesses collect, process, and share consumer data. Digital advertising models, particularly those relying on consent-based behavioural targeting, will face renewed scrutiny. Moreover, the growing attention to children’s online safety, driven by the Biden administration and the FTC, indicates further regulatory developments in the pipeline, including the Kids Online Safety Act.


Future Challenges and Solutions

Navigating this fragmented regulatory landscape presents a daunting challenge for organisations operating across multiple jurisdictions. With more states set to follow suit, maintaining compliance requires strategic vigilance and expertise. For businesses seeking clarity and compliance across state borders, Formiti’s US Data Privacy Service offers a comprehensive solution. Our services provide a thorough understanding of each state’s nuanced requirements, ensuring tailored compliance strategies.


For organisations requiring a more global approach, our Outsourced Data Protection Officer (DPO) Service delivers unparalleled expertise. It simplifies the complexity of multi-jurisdictional data protection laws, allowing businesses to focus on growth while we ensure their data practices remain aligned with evolving regulations.



The US state-by-state data privacy regulation patchwork will continue to evolve, requiring businesses to stay adaptable and compliant with the expanding array of laws. By harnessing Formiti’s US Data Privacy Service and Outsourced DPO Service, organisations can navigate this challenging terrain with confidence and ensure seamless compliance.