U.S. State Data Privacy Laws: What Your Business Needs to Know in 2025

Compliance and Regulations
Written By Helen Lavigne

By: De'Von Carter

If your business collects personal data — whether through an app, website, or customer interaction — state data privacy laws may apply to you, even if you don’t have a physical presence in those states.

While many companies scrambled to comply with Europe’s GDPR, the U.S. is now catching up with a growing number of comprehensive data privacy laws at the state level. These laws give consumers rights over their personal data and impose new obligations on businesses.

States with Comprehensive Privacy Laws (as of April 2025):

California (CCPA/CPRA)

  • Virginia (VCDPA)

  • Colorado (CPA)

  • Connecticut (CTDPA)

  • Utah (UCPA)

  • Iowa

  • Indiana

  • Tennessee

  • Montana

  • Texas

  • Oregon

  • Delaware

  • New Jersey

  • New Hampshire

  • Nebraska

  • Kentucky

These laws typically include:

The right for consumers to access, delete, or correct their data

  • Requirements to disclose data collection practices

  • Opt-out rights for data sales or targeted advertising

  • Security and data minimization obligations for businesses

  • Certain laws may require data protection assessments or third-party oversight

Even if your business is located outside these states, if you have customers, users, or site visitors from them, the law may still apply.

What This Means for You

To stay compliant, businesses should:

Map out what personal data they collect and where it goes

  • Review and update privacy policies

  • Create workflows to respond to consumer requests (access, deletion, etc.)

  • Ensure that your technology can support these workflows

  • Implement safeguards for third-party data sharing and vendors

  • Monitor legal changes regularly

Need Help Navigating Privacy Laws?

At Fourscore Law, we help businesses assess risk and build smart, scalable compliance strategies across multiple jurisdictions. Whether you're preparing for an upcoming state law or revamping your overall privacy program, our team is here to support you.

Reach out to a Fourscore attorney today to schedule a consultation and protect your business in this rapidly changing legal landscape.

Picture on the top is by Fernando Arcos and is in the public domain.


Common Questions About State Data Privacy Laws

  • A: Yes — if your customers, users, or website visitors are from a state with a privacy law, that law may apply to your business regardless of where you're physically located. Your location doesn't determine your compliance obligations.

  • A: Consumers can typically access, delete, or correct their personal data, and opt out of having it sold or used for targeted advertising. Businesses must also disclose what data they collect and how it's used.

  • A: As of April 2025, 16 states have comprehensive privacy laws, including California, Virginia, Colorado, Texas, New Jersey, and Delaware, among others. The list is growing, so businesses should monitor legal changes regularly.

  • A: Start by mapping what personal data you collect and where it goes, then update your privacy policy and create workflows to handle consumer requests like data access or deletion. You should also review how you share data with third-party vendors.

Helen Lavigne
Previous

What’s the Deal With Wyoming LLCs?

Next

April Update: Does your business need a bank account?