US state laws are failing, and it impacts your business

Since 2019, with the introduction of the California Consumer Privacy Act (CCPA), there has continued a steady stream of states following suit in the absence of federal level protection.

The ‘patchwork’ of US state privacy legislation now totals 20 states passing comprehensive data privacy laws in 2025.

But all state legislation is not created equally.

The introduction of state laws aim to address the growing concerns about consumer privacy and data collection, with blurred lines as to the security and safeguarding measures in place.

Whilst CCPA offers more stringent measures to protect personal data privacy, subsequent laws have differed in scope, leading to challenging implementation for many businesses that collect personal information and need to meet various requirements across state lines.

A recent study by public interest research center, EPIC, found that nearly half of the state privacy laws are not adequately protecting consumer data, going so far as to suggest some are actually causing more harm than good.

Some argue that the tech industry has been allowed to write its own rules, leading to weaker privacy bills across various states.

So, why are they failing and what are the impacts for businesses?

• What makes a strong data privacy law?
• Which US laws are failing and why?
• What are the risks of poor privacy laws?
• Are weak privacy laws a good thing for businesses?
• Why businesses should lead from the front

What makes a strong data privacy law?

When it comes to what defines a strong piece of privacy legislation, opinions can vary, depending on your perspective on some variable factors, for example what constitutes sensitive data, how do you define a data subject, what are considered reasonable purposes for data processing.

More stringent privacy advocates would say that even The General Data Protection Regulation (GDPR), often seen as the benchmark of data privacy law, does not go far enough to protect individual rights. Many global laws have taken inspiration from the GDPR or diluted the principles.

A strong data privacy law requires clear, enforceable principles, including:

Core data privacy principles:

• Lawfulness, fairness, and transparency: Data processing must be based on a legitimate legal basis, be fair to individuals, and be transparent about how data is collected, used, and stored.
• Purpose limitation: Personal data should be collected and used for specific, legitimate purposes, and not for unrelated purposes without further consent.
• Data minimization: Only the necessary data should be collected and processed, and it should be kept for the shortest time necessary.
• Accuracy: Data should be accurate and kept up to date.
• Storage limitation: Data should be kept for no longer than necessary and should be securely stored.
• Integrity and confidentiality (Security): Data should be protected from unauthorized access, loss, or misuse through appropriate technical and organizational measures.
• Accountability: Organizations are responsible for ensuring compliance with data privacy laws and should have clear procedures for handling data breaches and complaints.
• Individual rights: Individuals should have the right to access their data, request corrections, and object to processing.
• Consent: Data processing should be based on informed, free, specific, and unambiguous consent, unless another legal basis exists.

Which US laws are failing and why?

With a grading system of A to F, 17 of the 19 states considered received a C+ or below. No states received an A, reflecting the fact that the provisions outlined above were largely left out of the state bills. California was the highest rated at B- with a score of 52/100 and Maryland rated B- with a score of 52/100.

Below are the states that received the lowest grades and the reasons why:

1. Iowa: Received an F with a score of 4/100. The state’s privacy law lacks meaningful consumer protections, including data minimization requirements, a private right of action, and strong enforcement authority.
2. Utah: Also received an F with a score of 6/100. Utah’s law only covers businesses making more than $25 million, leaving much of the residents’ personal data unprotected. It also lacks data minimization requirements and a private right of action.
3. Tennessee: Scored 6/100 and received an F. The law does not include data minimization requirements, a private right of action, or strong enforcement authority.
4. Indiana: Received an F with a score of 11/100. The law lacks data minimization requirements, a private right of action, and strong enforcement authority.
5. Virginia: Scored 11/100 and received an F. The law was heavily influenced by industry lobbyists and lacks meaningful consumer protections, including data minimization requirements and a private right of action.
6. Nebraska: Received an F with a score of 14/100. The law lacks data minimization requirements, a private right of action, and strong enforcement authority.
7. Kentucky: Scored 14/100 and received an F. The law lacks data minimization requirements, a private right of action, and strong enforcement authority.
8. Texas: Received an F with a score of 15/100. Although it requires businesses to honor universal opt-out signals, it still contains numerous loopholes and lacks many important consumer protections.
9. Rhode Island: Scored 18/100 and received an F. The law lacks data minimization requirements, a private right of action, and strong enforcement authority.

What are the risks of poor privacy laws?

Though data privacy legislation can often be seen as a burden to businesses, the risks of misusing data can be great. Following strong protocols and requirements can lead to better customer experiences, improved trust and more compliant data utilization.

Poor privacy legislation can lead to…

• Data abuse: Companies collect and use data in ways that consumers do not expect, leading to security risks, targeted scams, and identity theft
• Discriminatory outcomes: Data profiling often results in discriminatory practices
• Harmful advertising: Current data practices inundate consumers with targeted ads, some of which can be harmful

Are weak privacy laws a good thing for businesses?

Undoubtedly, compliance with a raft of differing global privacy standards is no small feat. Growing pressure on organizations to grow revenue and prove ROI inevitably requires solid foundations of data. With multiple touch points and countless systems, the scope of managing compliance only gets harder as more legislation is passed.

So, are weak privacy laws a good thing for businesses?

In theory, they mean less stringent requirements being placed on the business. The onus gets put back on the consumer. The business gets more data to play with, with less risk of getting fined. Right?

Not necessarily.

Weak privacy legislation causes many problems, at an enterprise level in particular.

As more legislation passes that provides unclear or complex stipulations, the risk of non-compliance grows, with the need to bring in more resources to navigate. Whilst stronger legislation exists, like CCPA, organizations may implement state-by-state processes, only adding to the risk of making mistakes.

Non-compliance, of course, leads to huge risk of data breaches and data misuse, causing damaged trust and eroded reputation.

But perhaps most significantly, businesses are unable to plan long-term data strategies. This has a massive impact on future innovation and growth.

Why businesses should lead from the front when it comes to privacy

Businesses have a unique opportunity to set the standard for data privacy and protection. Leading from the front not only benefits consumers but also provides significant advantages for the businesses themselves. Rather than looking for loopholes or risking fines, organizations can take proactive steps to put privacy first to build more solid data foundations.

When businesses prioritize data privacy, they demonstrate a commitment to protecting their customers’ personal information. This builds trust and fosters loyalty, as consumers are more likely to engage with companies they believe are safeguarding their data. Trust is a valuable currency in the digital marketplace, and businesses that earn it can enjoy long-term customer relationships.

By adopting privacy practices that go beyond compliance, regardless of legislative requirements, companies can position themselves as industry leaders and attract privacy-conscious consumers. This competitive edge can translate into increased market share and brand reputation.

Consumers are becoming increasingly aware of their data privacy rights and expect businesses to handle their information responsibly. By leading from the front, businesses can meet and exceed these expectations, providing transparency and control over personal data. This not only enhances the customer experience but also aligns with the growing demand for ethical and responsible business practices.