Ryan Mack

Associate Editor

Loyola University Chicago School of Law, JD 2027

The United States has reached a critical inflection point in data privacy regulation. Today, twenty states have adopted comprehensive privacy laws creating an increasingly complex array of regulatory requirements that interstate businesses must adhere to. Since the federal government has yet to enact universal privacy legislation and none coming in the foreseeable future, companies face mounting stress to navigate divergent state requirements while contending with a historic shift toward coordinated multi-state enforcement efforts.

Understanding state privacy requirements

Data privacy regulation governs how businesses collect, use, and protect personal information, granting consumers rights to access their data, delete their data, and control sales to third parties. Privacy laws protect consumers from exploitation of personal data, guarding against unwanted tracking, discriminatory practices, and data breaches. Despite this need, Congress has failed to enact comprehensive federal privacy legislation, leaving states to create their own regulations. The result is twenty varying state regulations, each with unique thresholds, definitions, and enforcement mechanisms. One argument is that a universal federal mandate would establish uniform national standards, reduce compliance costs, and ensure consistent protections for all Americans. However, a federal law could preempt stronger state protections, potentially weakening privacy rights in states with more comprehensive regulations.

For the first time in five years, 2025 saw no new enactments of comprehensive state privacy laws. However, states have now pivoted to enforcing existing privacy laws. While state privacy laws share fundamental similarities, differences create compliance challenges. On January 1, 2026, Connecticut and Oregon began requiring universal opt-out mechanisms, browser-based tools that let users set their privacy preferences once and apply them automatically across all websites, bringing the total to ten states that mandate automated opt-outs. Definitions of what constitutes sensitive data vary drastically. For example, Connecticut’s SB 1295 includes neural data, which is defined as “any information that is generated by measuring the activity of an individual’s central nervous system.” Oregon restricts precise geolocation, and numerous states have tightened protections for minors. Enforcement timelines and cure periods also vary by state.

The new era of multi-state enforcement

States are no longer enforcing privacy laws in isolation. The formation of the Consortium of Privacy Regulators in April 2025 marked a turning point in multi-state enforcement. By October of that year, the consortium had grown to include ten states. This coordination enables joint investigative sweeps, as demonstrated in September 2025 when California, Colorado, and Connecticut launched a coordinated investigation focused on Global Privacy Control compliance. Such coordinated efforts mean that violations in one state can trigger simultaneous investigations across multiple jurisdictions.

State enforcement accelerated in 2025. For example, California secured $1.55 million in civil penalties against Healthline Media for improperly sharing health-related data with third parties, $1.4 million against Jam City for selling and sharing personal information of users aged 13-16 without consent, and $1.35 million against Tractor Supply Co. for failing to properly disclose privacy rights and process opt-out requests. The California Privacy Protection Agency’s funding model retains 95% of civil penalties, creating a self-replenishing mechanism that drives expanding enforcement.

Enforcement priorities converge around several key areas. Importantly, youth privacy dominates, with states scrutinizing age verification and data collection from minors. Global Privacy Control compliance has become a top priority. And data broker regulation intensified, with California’s Delete Act Enforcement resulting in actions against unregistered brokers. Additionally, service provider agreements have emerged as consistent targets, with the Tractor Supply and Healthline settlements alleging failures to implement required privacy terms in vendor contracts.

The compliance landscape

Given the complexity of navigating divergent requirements across twenty state regimes, manual compliance is no longer feasible. Businesses require jurisdiction-aware automation that can detect user location, apply state-specific controls, and maintain auditable records. Organizations should refresh data inventories to include emerging categories like neural data and precise geolocation, update privacy policies to reflect 2026 requirements, and ensure cookie mechanisms honor universal opt-out signals. All contracts must contain mandated privacy provisions, a unique requirement many businesses have been overlooking. For businesses subject to risk assessments, conducting mock assessments under attorney-client privilege provides an opportunity to identify and remedy compliance gaps before formal reporting obligations begin.

State regulators have signaled clear priorities for 2026. California will focus on Global Privacy Control audits, data broker compliance, service provider contracts, and children’s data protection. Colorado will enforce biometric data rules. Connecticut will scrutinize universal opt-out implementation. The consortium’s expansion and California’s self-replenishing budget create a feedback loop where enforcement generates penalties funding further expansion.

As the United States operates without any current or likely future federal privacy legislation, state-driven models define the overall national compliance landscape. The shift from enacting laws to aggressively enforcing them, coupled with unprecedented multi-state coordination, marks a fundamental transformation in privacy regulation. Businesses can no longer treat state privacy laws as isolated obligations. The consortium era demands comprehensive governance systems managing divergent requirements across twenty jurisdictions while anticipating coordinated enforcement actions that trigger simultaneous investigations across multiple states.