Summary.
https://pogowasright.org/u-s-state-privacy-laws-making-sense-of-the-mess/
U.S. State Privacy Laws: Making Sense of the Mess
Privacy law scholar Dan Solove writes:
The year kicked off with several privacy laws coming into effect, and there are several more scheduled to become active this year. Here’s a current list:
Iowa (January 1, 2025)
Delaware (January 1, 2025)
Nebraska (January 1, 2025)
New Hampshire (January 1, 2025)
New Jersey (January 15, 2025)
Tennessee (July 1, 2025)
Minnesota (July 31, 2025)
Maryland (October 1, 2025)
With about 20 states with a consumer privacy law (plus a growing number of subject-specific state privacy laws), the landscape is becoming unwieldy. But the laws share a lot of similarities, so it’s far from total madness.
Key Similarities and Differences
Here’s some help in cutting through the madness.
All state consumer privacy laws are extraterritorial
Unlike the GDPR, which applies to all types of entities, most state laws apply only to for-profit companies (exceptions: MN, DE, NJ, CO, OR, MD).
Unlike the GDPR, nearly all state privacy laws don’t apply to the government (because in the U.S., governments hate to follow rules like everyone else) .
Most define personal data similarly to the GDPR.
Unlike the GDPR, most have thresholds to exclude small business (but thresholds vary).
Most exclude data regulated by federal privacy laws such as HIPAA, GLBA, FCRA, and FERPA
Most have similar categories of sensitive data, though there are some variations. Most recognized categories include racial or ethnic origin, sexual orientation (several also include sex life), genetic or biometric data, religious beliefs, mental and physical health diagnosis (considerable variation on how this is worded), citizenship or immigration status, data collected from a child, and precise geolocation.
Most provide for individual rights to access, deletion, correction, data portability.
Most provide opt out rights for sale of data, targeted ads, profiling.
Most require opt in (and a PIA) for processing sensitive data (exceptions: UT, CA).
Most require data processing agreements.
Most require PIAs for targeted ads, profiling, sensitive data, sale of data, and risk of harm.
Most are enforced by state AGs and have fines (exception: CA is enforced by a special privacy agency).
Most lack a private right of action (exception: CA has a private right of action for data breaches).
Read more at LinkedIn.
For more background and opinion from Dan, read an earlier piece by him: U.S. State Privacy Laws – A Lack of Imagination
Related: REPORT: The State of Privacy: How State “Privacy” Laws Fail to Protect Privacy and What They Can Do Better (EPIC and U.S. PIRG)
(Related)
Article: Privacy in Authoritarian Times: Surveillance Capitalism and Government Surveillance — Solove
Law professor Dan Solove has posted a new draft article, Privacy in Authoritarian Times: Surveillance Capitalism and Government Surveillance. You can read or download a free copy at SSRN.
Here is the Abstract:
As the United States and much of the world face a resurgence of authoritarianism, the critical importance of privacy cannot be overstated. Privacy serves as a fundamental safeguard against the overreach of authoritarian governments.
Authoritarian power is greatly enhanced in today’s era of pervasive surveillance and relentless data collection. We are living in the age of “surveillance capitalism.” There are vast digital dossiers about every person assembled by thousands of corporations and readily available for the government to access.
In the coming years, both the federal government and some state governments may intensify surveillance and data collection efforts, targeting immigrants, punishing those involved in seeking or providing abortion services, and cracking down on gender-affirming healthcare. Personal data could also be weaponized against critics and others who resist these efforts. These campaigns may be bolstered by vigilante groups, using personal data to dox, threaten, and harm individuals they oppose—echoing historical instances where ordinary citizens actively aided totalitarian regimes in identifying and punishing dissenters or perceived “undesirables.”
In this Article, I contend that privacy protections must be significantly heightened to respond to growing threats of authoritarianism. Major regulatory interventions are necessary to prevent government surveillance from being used in inimical ways. But reforming Fourth Amendment jurisprudence and government surveillance alone will not protect against many authoritarian invasions of privacy, especially given the oligarchical character of the current strain of authoritarianism.
To adequately regulate government surveillance, it is essential to also regulate surveillance capitalism. Government surveillance and surveillance capitalism are two sides of the same coin. It is impossible to protect privacy from authoritarianism without addressing consumer privacy.
This Article proposes regulatory measures that should be taken to address government surveillance and surveillance capitalism – on both sides of the coin – to guard against authoritarianism. Federal lower court judges have some leeway to strengthen Fourth Amendment and other Constitutional protections as well as consumer privacy protections. State court judges can interpret their state’s constitutions in ways that diverge from the way U.S. Supreme Court interpretations. State legislators can enact a wide array of measures to limit government surveillance by their states and others as well as to reign in surveillance capitalism, minimize the data available to authoritarian regimes, regulate data brokers, incentivize the creation of less privacy-invasive surveillance technologies, and curtail the increasing government-industrial collusion. There is no silver bullet, but these measures across the entire landscape of privacy law can make a meaningful difference.
Download the full article (pdf) or read it in your browser.
