The landscape of U.S. state privacy laws is rapidly evolving, with many states already enacting comprehensive laws that give individuals greater control over and rights in their personal information.

The following state privacy laws have taken or will take effect in the near future:

  • California Privacy Rights Act, which amends the California Consumer Privacy Act (as of January 1, 2023)
  • Virginia Consumer Data Protection Act (as of January 1, 2023)
  • Colorado Privacy Act (as of July 1, 2023)
  • Connecticut Data Privacy Act (as of July 1, 2023)
  • Utah Consumer Privacy Act (as of December 31, 2023)
  • Washington My Health My Data Act (March 31, 2024)

More states are looking to establish data privacy laws due to the absence of a comprehensive federal data privacy statute and evolving online technologies and practices that increasingly collect personal information.

Additionally, some states that have not passed comprehensive privacy laws yet are currently regulating specific data privacy issues. For example, Illinois, Texas, and Washington have statutes in place that focus on businesses’ collection, handling, protection, and use of biometric data, and several other states have already proposed biometric privacy legislation.

The state privacy laws that have passed or are expected to pass, while similar in some ways, have significant differences. In addition, there are numerous exemptions for personal or sensitive information regulated under other data privacy frameworks, such as the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The state data privacy laws may also require that reasonable administrative, technical, and physical safeguards be put in place to ensure the cybersecurity of personal information. Although the state data privacy laws are similar, they have critical differences—for example, some exclude HIPAA-covered entities entirely, while some only exclude data covered by HIPAA (but not non-covered data held by HIPAA-covered entities). Thus, it is becoming increasingly difficult for businesses and other organizations to ensure compliance with this complicated patchwork of laws.

Epstein Becker Green helps clients across industries understand, address, and comply with state privacy laws. Clients value the ability of our Privacy, Cybersecurity & Data Asset Management team, with its industry-leading, credentialed privacy attorneys, to translate legal standards into practical solutions.

Read more

How We Help

We advise clients on which state and federal privacy laws apply to them, what their obligations are under those laws, and how they can reconcile conflicting state privacy law requirements. Our services in this area also include:

  • Assisting clients with designing, implementing, and maintaining a comprehensive U.S. privacy compliance program that is adaptable to new state privacy laws and trends
  • Providing advice on integrating the clients’ U.S. privacy compliance obligations with programs implemented to comply with international laws (e.g., the European Union’s General Data Protection Regulation)
  • Reviewing and revising, where necessary, privacy notices and policies, including website privacy notices and terms of use
  • Reviewing and negotiating vendor and customer contracts to ensure that they include appropriate privacy protections and comply with state privacy laws
  • Providing training to a client’s employees on how to comply with state privacy laws
  • Conducting data protection impact assessments that evaluate how a client collects, uses, discloses, and discards personal information
  • Representing clients in privacy investigations and enforcement actions
  • Monitoring and keeping clients informed of privacy and data security-related trends and legislation at the state and federal levels
  • Providing advice on data retention policies and schedules

Read less

Focus Areas


  • Prepared and reviewed numerous website privacy policies and notices for health, financial services, and e-commerce clients.
  • Prepared and reviewed numerous data privacy addendums and commercial agreements addressing state data privacy requirements across all client industries.
  • Prepared data privacy notices for employees under the CPRA.
  • Advised numerous clients regarding cookies, pixels, and tracking technologies used on websites to comply with state and federal data privacy requirements.
  • Defended clients against claims asserting state data privacy and wiretapping violations.
  • Advised clients in the implementation of data privacy and cybersecurity programs to comply with state and federal law.
  • Prepared HIPAA preemption analyses comparing state law and HIPAA for coordination under the HIPAA preemption rule.





Jump to Page

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.