U.S. Privacy Laws & Compliance Guide: State Regulations Explained

The GDPR is a single, comprehensive regulation that applies across the EU and generally requires opt-in consent before activities like tracking and targeted advertising.

In contrast, the U.S. follows a state-by-state approach. Most U.S. laws rely on opt-out models, though states such as Maryland forbid the sale of certain sensitive data altogether.

Why it matters:
Managing GDPR plus 20+ state privacy laws manually is not scalable. DataGrail centralizes global and U.S. compliance into one system.

At a minimum, organizations should have:

• Accurate data inventories
• DSAR workflows
• Consent and opt-out mechanisms
• Updated privacy notices
• Vendor data-sharing visibility

Why it matters:
Without automation, these requirements quickly become operational bottlenecks. DataGrail turns compliance into repeatable workflows instead of ad hoc processes.

Some of the most aggressive laws include:

• California (CPRA): Broad scope, employee data, dedicated regulator
• Colorado (CPA): Detailed regulations and strict consent rules
• Washington (MHMDA): Expansive health data definition + private right of action
• Maryland (MODPA): Very strict rules on data minimization for sensitive data, regardless of user consent

Additional state privacy laws continue to take effect each year, making scalability and adaptability critical.

States use criteria like revenue thresholds, percentage of revenue derived from data sales, and data volume to determine applicability of their privacy laws. You’ll need to know each of these figures for your company to determine your applicability. 

Revenue thresholds:

• $25 million annual revenue: California (CCPA/CPRA) 
• $1 billion annual revenue: Florida (FDBR) and Texas (TDPSA) 

Percentage of revenue derived from sales thresholds:

• 20% of gross revenue from sale (sometimes share) of personal data: Rhode Island (RIDTPPA) 
• 25% of gross revenue from sale (sometimes share) of personal data: Minnesota (MCDPA), Connecticut (CTDPA), Oregon (OCPA), Montana (MTCDPA)
• 50% of gross revenue from sale (sometimes share) of personal data: California (CCPA/CPRA), Virginia (VCDPA), Utah (UCPA), Indiana (INCDPA), Iowa (ICDPA), Kentucky (KCDPA), Tennessee (TIPA)

Data volume thresholds (generally, of state residents): 

• 35,000+ consumers: Delaware, Maryland, New Hampshire, Rhode Island
• 50,000+ consumers:  Montana
• 100,000+ consumers: Virginia, Utah, Oregon, New Jersey, Minnesota, Kentucky, Iowa, Indiana, Colorado, Connecticut, California
• 175,000+ consumers: Tennessee

Additionally, states like New Jersey, Colorado, Texas, Nebraska, and Connecticut have more unique applicability terms.

States differ on how their applicability criteria interact, and many states exempt certain organizations. Confirm your legal requirements with counsel. 

Most are enforced by state Attorneys General, with penalties per violation. Some laws include limited private rights of action, particularly for health or biometric data. Depending on the state, penalties could range from $2,500 – $50,000 per violation.

There is no single federal privacy law equivalent to GDPR, but several sector-specific laws apply nationwide, including:

• HIPAA (health data)
• GLBA (financial institutions)
• COPPA (children’s data)

Additionally, agencies like the FTC and FCC continue to enforce privacy-related rules through consumer protection authority.

The most effective approach is to build a scalable privacy compliance framework that adapts as regulations evolve. This can include a centralized data inventory, automated consumer rights workflows, and AI-powered risk assessments.