58 views 31 secs 0 comments

U.S. State Privacy Laws: Making Sense of the Mess

In Legal News
January 31, 2025

Law professor Daniel Solove writes:

The year kicked off with several privacy laws coming into effect, and there are several more scheduled to become active this year. Here’s a current list:

  • Iowa (January 1, 2025)
  • Delaware (January 1, 2025)
  • Nebraska (January 1, 2025)
  • New Hampshire (January 1, 2025)
  • New Jersey (January 15, 2025)
  • Tennessee (July 1, 2025)
  • Minnesota (July 31, 2025)
  • Maryland (October 1, 2025)

With about 20 states with a consumer privacy law (plus a growing number of subject-specific state privacy laws), the landscape is becoming unwieldy. But the laws share a lot of similarities, so it’s far from total madness.

Key Similarities and Differences

Here’s some help in cutting through the madness.

  • All state consumer privacy laws are extraterritorial
  • Unlike the GDPR, which applies to all types of entities, most state laws apply only to for-profit companies (exceptions: MN, DE, NJ, CO, OR, MD).
  • Unlike the GDPR, nearly all state privacy laws don’t apply to the government (because in the U.S., governments hate to follow rules like everyone else) .
  • Most define personal data similarly to the GDPR.
  • Unlike the GDPR, most have thresholds to exclude small business (but thresholds vary).

Read more on LinkedIn.