The Rising Challenge of Data Privacy for Marketers: Navigating 17 State Laws by 2025
As the 118th session of the U.S. Congress draws to a close, one glaring omission remains: the failure to pass a national data privacy law. This legislative gap leaves marketers with a complex web of regulations to navigate, as 17 states have stepped in to fill the void with their own laws—six of which are already in effect. By October of next year, marketers will need to comply with 11 additional state-specific privacy laws, each with its own nuances, requirements, and definitions.
For marketing operations (MOps) professionals, this is the beginning of a complex and often contradictory set of obligations that will govern how consumer data is handled across the country. While these state laws share some common ground, particularly in granting consumers rights to access, delete, and opt-out of personal information (PI) sales, they differ substantially in terms of scope, compliance triggers, and operational requirements. Let’s take a look at the existing and upcoming laws that marketers need to prepare for.
Existing Data Privacy Laws
1. California Consumer Privacy Act (CCPA)
- Effective: January 1, 2020
- Applies to: Businesses with at least $25 million in annual revenue, those buying/selling PI of 100,000+ consumers, or those deriving 50%+ of revenue from PI sales.
- Key Requirements:
- Consumers can opt out of the sale of their PI.
- Sensitive data processing is limited.
- Privacy notices must be provided, and data retention periods must be established.
- Businesses are required to ensure service providers comply with the law.
2. Virginia Consumer Data Protection Act (VCDPA)
- Effective: January 1, 2023
- Applies to: Businesses controlling or processing PI of 100,000+ consumers or deriving 50%+ of revenue from PI sales.
- Key Requirements:
- Privacy Impact Assessments are mandatory.
- Consumers can opt out of PI sales.
- Businesses must have data processing agreements with processors.
3. Colorado Privacy Act (CPA)
- Effective: July 1, 2023
- Applies to: Businesses processing data of 100,000+ consumers or earning revenue through PI sales.
- Key Requirements:
- Opt-out rights for PI sales, targeted advertising, and profiling.
- Data protection assessments are required.
- Privacy notices must be issued to consumers.
4. Connecticut Data Privacy Act
- Effective: July 1, 2023
- Applies to: Businesses processing data of 100,000+ consumers or 25,000+ consumers while deriving 25%+ of revenue from PI sales.
- Key Requirements:
- Data minimization and opt-out mechanisms for sensitive PI.
- Privacy notices and data protection assessments are mandatory.
5. Utah Consumer Privacy Act
- Effective: December 31, 2023
- Applies to: Businesses with $25 million+ in revenue and processing the PI of 100,000+ consumers.
- Key Requirements:
- Consumers can opt out of targeted advertising.
- Written agreements must be in place for data processing.
6. Oregon Consumer Privacy Act
- Effective: July 1, 2024
- Applies to: Businesses controlling or processing PI of 100,000+ consumers or 25,000+ consumers with 25%+ revenue from PI sales.
- Key Requirements:
- Consent is required for sensitive data processing and profiling adolescents.
- Consumers can request deletion and opt out of data sales and advertising.
Upcoming Data Privacy Laws
1. Montana Consumer Data Privacy Act
- Effective: October 1, 2024
- Key Requirements: Businesses must honor opt-out requests, provide privacy notices, and obtain explicit consent before collecting sensitive data.
2. Iowa Consumer Data Protection Act
- Effective: January 1, 2025
- Key Requirements: Businesses must limit data collection to specific purposes, allow opt-out for data sales, and provide consumers with privacy notices.
3. Delaware Personal Data Privacy Act
- Effective: January 1, 2025
- Key Requirements: Data collection must be minimal and relevant, and businesses must honor consumer opt-out requests and obtain consent for sensitive data processing.
4. New Jersey Consumer Data Privacy Bill
- Effective: January 16, 2025
- Key Requirements: Businesses must obtain consent for processing children’s data and maintain comprehensive security measures for data protection.
5. Texas Data Privacy and Security Act
- Effective: January 1, 2025
- Key Requirements: Businesses must allow consumers to opt out of PI sales and obtain consent for sensitive data processing.
6. Tennessee Information Protection Act
- Effective: July 1, 2025
- Key Requirements: Businesses must implement privacy notices, limit data processing to its intended purpose, and honor opt-out requests for PI sales.
7. Kentucky Consumer Data Protection Act
- Effective: January 1, 2026
- Key Requirements: Opt-out rights, privacy impact assessments, and data protection safeguards are required for businesses processing large volumes of consumer data.
8. Indiana Data Privacy Law
- Effective: January 1, 2026
- Key Requirements: Businesses must conduct data impact assessments and limit data processing to its intended purposes while allowing consumers to opt out of PI sales.
9. Nebraska Data Privacy Act
- Effective: October 1, 2025
- Key Requirements: Businesses must implement technical safeguards and allow consumers to opt out of data sales and targeted advertising.
10. Maryland Online Data Privacy Act
- Effective: October 1, 2025
- Key Requirements: The sale of personal data is banned, and businesses can only collect data necessary for requested services.
A Fragmented Future: Preparing for 17 Laws
With 17 state privacy laws set to govern marketing activities by 2025, marketers will need to build robust data governance strategies that account for varying compliance requirements. It’s crucial to understand the differences in how states define “personal information” and the specific mechanisms needed to comply with each law. Although state laws share common threads, businesses need to invest in legal and operational teams to maintain compliance across multiple jurisdictions, or risk hefty fines and legal battles.
As more states pass new laws or amend existing ones, the complexity of navigating U.S. data privacy laws is set to grow. It’s essential for businesses to stay updated on legal developments, implement comprehensive privacy policies, and ensure their marketing operations are compliant in every state they operate.
The national data privacy law may still be on the horizon, but for now, marketers must juggle 17 slightly different regulatory frameworks, each bringing its own unique headaches.