concentric logo

How organizations can navigate the current status of state privacy laws

December 7, 2023
Cyrus Tehrani
4 min read

Not long ago, the term data privacy was considered a buzzword. Today, data privacy has moved to the forefront of the minds of CIOs, CSOs and security teams, especially as data breaches proliferate in the tech headlines. State and federal governments are trying to keep up with the threat landscape. Still, every privacy law has its own idiosyncrasies that can present a unique challenge for businesses.

Without a comprehensive federal privacy law, the country is left with state-level legislation for the time being. As the landscape continues to evolve, legal puzzles and strategic concern for businesses operating across state lines arise.

Let’s explore the current US state privacy laws and briefly demonstrate how Concentric AI can help organizations comply.


California Consumer Privacy Act (CCPA): Established in January 2020, the CCPA grants Californians rights over their personal data — including access, deletion, and the right to opt-out of the sale of their personal information.

California Privacy Rights Act (CPRA): An extension of CCPA, the CPRA was effective from December 2020, with revisions effective in January 2023. CPRA expands rights to include correction of personal data and limits businesses’ use of sensitive personal information.


Virginia Consumer Data Protection Act (VCDPA): Effective January 2023, Virginia’s privacy act allows Virginians to access, correct, and delete their personal data and opt-out of processing for targeted advertising, sale of personal data, or profiling.


Connecticut Data Privacy Act: Effective July 2023, Connecticut’s act empowers consumers with rights over their data and places additional responsibilities on businesses handling Connecticut consumers’ data.


Colorado Privacy Act (CPA): Effective July 2023, the CPA provides rights similar to Virginia’s law and includes data portability and the right to opt out of automated decision-making.


Utah Consumer Privacy Act (UCPA): Effective December 2023, Utah’s act takes a business-friendly approach and applies to parties that meet specific revenue and consumer data thresholds.


Tennessee Information Protection Act (TIPA): Effective from July 2024, TIPA applies to businesses in Tennessee or targeting Tennessee residents, with specific thresholds similar to Virginia, Iowa, and Indiana. The law contains more exemptions than other state laws.


Montana Consumer Data Privacy Act: Effective from October 2024, Montana’s act requires opt-in consent for the sale of personal data for consumers aged 13-16 and applies to businesses operating in Montana. Consumers also have rights to confirm, access, delete, obtain a copy, and opt-out of certain processing activities.


Iowa Consumer Data Protection Act: Set to come into effect in January 2025, Iowa’s regulation applies to businesses controlling or processing personal data of a significant number of Iowa consumers or those deriving a major part of their revenue from selling personal data.


Indiana Consumer Data Protection Act: Set to come into effect in January 2026, Indiana’s act is very similar to that of Colorado, Connecticut, and Virginia, but provides a longer compliance timeline for organizations.

States with legislation upcoming and still in contention

The privacy law trend for other states continues to roll along. Texas is on the cusp of becoming the tenth state to enact comprehensive privacy legislation, with a bill that echoes elements of Virginia, Colorado, and Connecticut laws.

Other states like Delaware, Louisiana, Maine, Massachusetts, New Hampshire, New York, North Carolina, Oregon, Pennsylvania, and Rhode Island are also in the process of introducing their privacy bills.

This trend clearly indicates a shift towards more robust privacy regulations across the US.

Implications for organizations

For organizations, this diversity in state laws opens the door to a myriad of hurdles. The varying requirements and scopes of the regulations mean that the one-size-fits-all approach to privacy policy won’t cut it. Organizations must stay informed and agile, adapting privacy strategies to comply with each state’s specific regulations. For businesses operating in multiple states, agility is crucial.

When it comes to compliance, there are five key steps organizations should focus on:

Discover: Identify personal and sensitive data and know exactly where it resides.

Map: Determine how personal and sensitive data is being shared with third parties and know if that third party is exempt from any regulatory requirements.

Manage: Govern how the data is used and accessed (data governance).

Protect: Deploy robust security controls to prevent, detect, and respond to vulnerabilities and data breaches.

Document: Document your data breach response program and ensure any contracts with relevant third parties can take advantage of opt-out exceptions.

Concentric AI’s role in compliance

In this complex regulatory environment, Concentric AI offers the visibility and control of sensitive data needed to keep up with regulations.

Much like our approach to GDPR compliance, we provide a three-step strategy to help organizations align with US state privacy laws:

Discovery: Our advanced machine learning algorithms scan and categorize sensitive data, helping businesses understand the nature and risks associated with the data they hold.

Monitoring: We offer continuous risk assessment, tracking how sensitive data is used, shared, and accessed so that organizations can identify potential compliance risks.

Remediation: Our Risk Distance™ analysis identifies risks and enables businesses to remediate them autonomously and proactively, ensuring compliance with various state laws.

Book a demo today to see firsthand — with your own data — how Concentric AI can quickly and easily be deployed to manage compliance in your organization.


Libero nibh at ultrices torquent litora dictum porta info [email protected]

Getting started is easy

Start connecting your payment with Switch App.