State Privacy Laws: What Organizations Need to Know
By Pete Rife
Note: This article was originally published about the CCPA. Since then, the CPRA has amended California's law, and more than 20 U.S. states have enacted comprehensive privacy legislation. The landscape has changed significantly — please contact Blair Carlisle for current guidance on your specific obligations.
The California Consumer Privacy Act (CCPA) went into effect on January 1st, 2020, and was a watershed moment for U.S. privacy law. It granted California consumers new rights over their personal data and imposed new obligations on the businesses that collect it. Since then, it has been amended by the California Privacy Rights Act (CPRA), and has been joined by comprehensive privacy laws in Virginia, Colorado, Connecticut, Utah, Texas, and more than a dozen other states.
What the California Framework Established
The CCPA granted consumers the right to know what personal information is being collected about them, the right to delete that information, the right to opt out of the sale of their data, and the right to non-discrimination for exercising those rights. The CPRA extended these protections, created the California Privacy Protection Agency, and introduced new categories of sensitive personal information with heightened protections.
The Broader Landscape
What CCPA started has become a patchwork of state laws — each with different thresholds, definitions, and consumer rights. For organizations that operate nationally or handle data from residents across multiple states, this creates a complex compliance matrix. The approach we recommend: build a privacy program that meets the most stringent applicable requirements, because those programs tend to satisfy the less stringent ones as well.
Foundational Steps
Regardless of which laws apply to your organization, the foundational work is the same:
- Understand what personal data you collect, where it lives, and how it flows
- Map your data to identify where regulated data (including special categories) is processed
- Ensure your Privacy Policy accurately describes your practices
- Build processes to respond to consumer rights requests within required timeframes
- Maintain records of requests and responses
- Train your team on their obligations
Why This Matters Now
Privacy regulators are actively enforcing. The penalties — ranging from thousands to tens of thousands of dollars per violation — add up quickly for organizations that haven't invested in compliance. And beyond regulatory risk, customers and business partners increasingly expect you to demonstrate a mature approach to data privacy.
If you haven't completed a privacy compliance assessment recently, now is the time. Contact Blair Carlisle to discuss your obligations and the most efficient path to compliance.
Questions about your specific situation?
Our advisors work with organizations of every size across the industries covered in this article. Start a conversation — no obligation.