Legal · Data Privacy

The State Privacy Patchwork: One Program, Twenty Laws.

June 2026 7 Min Read By Mohammed Siraj

With comprehensive privacy statutes now enacted in roughly twenty states and no federal law in sight, US companies face a genuine patchwork: overlapping but non-identical definitions, rights, and enforcement regimes. The companies handling this well are not running twenty compliance projects — they are running one program built to the strictest common denominator.

Where the Laws Diverge — and Where They Don't

The state laws share a common skeleton: notice obligations, consumer rights (access, deletion, correction, portability), opt-outs for sale and targeted advertising, and data protection assessments for higher-risk processing. The divergence is in the details that operational teams feel daily — applicability thresholds, cure periods, sensitive-data consent standards, universal opt-out signal recognition, and the treatment of profiling. California remains the outlier with its dedicated enforcement agency, employee and B2B data coverage, and rulemaking on automated decision-making and risk assessments.

Enforcement Is No Longer Theoretical

State attorneys general and the California Privacy Protection Agency have moved from education to enforcement, with actions targeting dark patterns, broken opt-out mechanisms, and inaccurate privacy notices. The practical lesson from the early actions is consistent: regulators test the consumer-facing reality — does the "Do Not Sell" link actually work, does the deletion request actually propagate to vendors — rather than the elegance of the written policy.

The Strictest-Common-Denominator Program

  • 01 One data inventory covering all personal data, mapped to every state's definitions.
  • 02 Consumer rights handling built to the shortest deadline and broadest scope among applicable states.
  • 03 Universal opt-out signals (GPC) honored everywhere, not just where mandated.
  • 04 Data protection assessments templated once, reused across state requirements.

What to Do This Year

First, refresh the data inventory — most were built for CCPA alone and miss the sensitive-data categories newer states regulate. Second, test the rights-request pipeline end to end, including vendor propagation, because that is where enforcement actions have landed. Third, formalize data protection assessments for targeted advertising, profiling and sensitive data processing; several states can demand them on request. Fourth, revisit vendor contracts for the processor obligations the newer laws prescribe. A program assembled this way absorbs each new state statute as configuration, not as a project.

Build one privacy program for fifty states.

Our technology and legal teams build privacy programs that hold up to regulator testing — inventory, rights pipeline, assessments and vendor governance.

Talk to our team