隐私状态：国家法律对国家框架的启示

ASH JOHNSON|JUNE 2026 The United States’ patchwork approach to privacy is unworkable in the long term. But thatpatchwork is already here, and Congress can learn from the policies states have implemented to KEY TAKEAWAYS Meaningful differences have emerged in how state privacy laws define key terms, allocaterights to consumers, impose obligations on data holders, and structure oversight and The vast majority of broad state privacy laws share common provisions that could provide There are more significant areas of consensus between state privacy laws than there aresignificant areas of contention, including key definitions, consumer rights, data holder There are two main areas of contention among state privacy laws: the inclusion of auniversal opt-out mechanism and whether a law’s opportunity to cure is guaranteed or The state privacy patchwork is both expensive for businesses and confusing forconsumers. Congress should act quickly to pass a federal privacy law that establishes a CONTENTS Key Takeaways................................................................................................................... 1Introduction....................................................................................................................... 2Digging Into the State Privacy Patchwork.............................................................................. 4Key Definitions ............................................................................................................... 4Consumer Rights........................................................................................................... 11Data Holders’ Responsibilities........................................................................................ 14Oversight and Enforcement ............................................................................................ 20 INTRODUCTION The rapid proliferation of broad state data privacy laws across the United States has created acomplex and fragmented regulatory landscape. While these laws share common goals ofenhancing consumer rights, increasing transparency, and imposing obligations on data holders,they diverge in key definitions, scope, enforcement mechanisms, and substantive requirements.This patchwork approach presents significant challenges for both consumers and businesses. These challenges underscore the growing need for a national data privacy framework. A federalstandard would provide consistent baseline protections for all Americans, regardless ofgeography, while simplifying compliance for businesses and fostering innovation. The longerCongress waits to accomplish this goal, the greater the risk of further entrenching fragmentation The United States’ patchwork approach to privacy is unworkable in the long term. But thatpatchwork is already here, so at the very least, Congress can learn from the policies states have This report compares and contrasts the existing 21 broad state data privacy laws to informCongress’s efforts to craft a national data privacy framework. It breaks these laws down into theircore provisions, including key definitions, consumer rights, data holders’ responsibilities, andoversight and enforcement mechanisms, highlighting areas of significant overlap and noteworthy DIGGING INTO THE STATE PRIVACY PATCHWORK As the United States continues to develop a patchwork of broad state privacy laws, meaningfuldifferences have emerged in how states define key terms, allocate rights to consumers, imposeobligations on data holders, and structure oversight and enforcement. While many of these lawsshare a common foundation—drawing heavily from early models such as California’s or Virginia’s This section looks at four core areas of divergence across state privacy regimes: key definitionsthat determine scope and applicability, the breadth of consumer rights, the substantiveresponsibilities imposed on businesses, and the mechanisms for oversight and enforcement.While there are many other provisions contained in the 21 broad state privacy laws that differ Key Definitions Key definitions contained within state privacy laws determine whom the law applies to. Statelaws also define different categories of data. These laws typically include protections for“personal data” (also referred to as “personal information” or “personally identifiable Though there is some slight variation, generally speaking, state privacy laws apply to firmsconducting business in a state or targeting their products and services to a state’s residents.These businesses must also meet certain thresholds, typically determined by the number ofconsumers whose data the business processes each year or the percentage of the business’sannual revenue derived from data sales. In California, businesses that meet a certain minimumthreshold of annual revenue must also comply with the state’s privacy law regardless of the As the United States continues to develop a patchwork of broad state