Module 4: U.S. State Privacy and Data Security Laws

Step 1 – Why State Privacy and Security Laws Matter Now

Over the last few years (especially 2018–2025), U.S. states have rapidly filled gaps left by the absence of a comprehensive federal privacy law.

Context relative to today (January 2026):

• More than a dozen states now have comprehensive consumer privacy laws (starting with California in 2018 and accelerating after 2020).
• All 50 states plus D.C. and territories have data breach notification laws.
• Several states have passed new children’s and sensitive data protections and data broker rules (notably California’s Delete Act, enacted 2023, with phased implementation through 2026).

This module builds on:

• Module 2 (security-by-design, reasonable security, accountability)
• Module 3 (FTC Act, sectoral federal laws)

Here, you’ll focus on how states add another layer:

• Sometimes aligning with federal principles (e.g., reasonable security)
• Sometimes going further, especially on consumer rights and data broker controls

Key idea: Multi-state organizations must navigate a patchwork: similar concepts but different definitions, thresholds, and exemptions in each state.

You’ll learn to:

1. Spot common elements across state privacy laws
2. Recognize unique features in states like California, Oregon, Texas, and newer laws
3. Explain how tools like California’s Delete Act change data broker governance and security practices

Step 2 – The Landscape: Comprehensive State Privacy Laws vs. Sectoral/Security Laws

State privacy and security rules fall into two big buckets:

1. Comprehensive consumer privacy laws

These are broad, GDPR-style laws that:

• Cover personal data of state residents
• Apply to businesses or controllers that meet certain thresholds (e.g., revenue, volume of data processed)
• Grant consumer rights (access, deletion, etc.)
• Impose duties on businesses (data minimization, security, purpose limitations)

Examples (non-exhaustive, as of early 2026):

• California – CCPA (2018) amended by CPRA (effective 2023); enforced by the California Privacy Protection Agency (CPPA) and AG
• Colorado, Connecticut, Utah, Virginia – early adopters of comprehensive laws
• Oregon, Texas, and others – newer laws adding nuances (e.g., stronger sensitive data rules)

You’ll see similar core ideas, but each state tweaks:

• Definitions (e.g., sale vs. share)
• Scope (which entities are covered or exempt)
• Enforcement models (AG only vs. agency + AG; limited private rights of action in some cases)

2. State data security and breach notification statutes

These laws:

• Require reasonable security measures for certain data (often focusing on financial, health, or ID data)
• Define “personal information” for breach more narrowly than privacy laws (e.g., name + SSN, account number, biometric data)
• Require notice to:
• Affected individuals
• Sometimes state AGs or regulators
• Sometimes credit reporting agencies
• Often set timelines (e.g., “without unreasonable delay” or a specific number of days) and content requirements

Connection to earlier modules:

• "Reasonable security" in state laws links back to Module 2 standards.
• Breach notification interacts with federal sectoral rules (e.g., HIPAA/HITECH, GLBA) from Module 3.

In practice, organizations must map which laws apply based on:

• Where consumers live (state of residence)
• Type of data collected
• Industry/sector and existing federal rules

Step 3 – Common Core Rights in State Privacy Laws

Most comprehensive state privacy laws share a core set of consumer rights. Names and details differ, but the patterns are consistent.

1. Right to know / access

Consumers can:

• Confirm whether a business is processing their personal data
• Obtain copies or summaries of that data and certain metadata (e.g., categories, purposes, third-party disclosures)

2. Right to delete

Consumers can request deletion of:

• Personal data provided by them
• In many states, also data observed (e.g., browsing history) or derived (profiles, inferences), though details vary

3. Right to correct

Increasingly common (e.g., California post-CPRA, Colorado, Virginia, others):

• Consumers can request correction of inaccurate personal data.

4. Right to data portability

Consumers can:

• Receive their data in a portable, machine-readable format
• Sometimes request transmission to another entity when technically feasible

5. Rights regarding targeted advertising, sale, and profiling

Many states provide rights to:

• Opt out of targeted advertising (based on cross-site/cross-app tracking)
• Opt out of sale of personal data (often broad – any exchange for value, not just money)
• Opt out of certain profiling that produces legal or similarly significant effects

6. Sensitive data protections

Most newer state laws:

• Treat sensitive data (e.g., precise geolocation, health, race/ethnicity, sexual orientation, children’s data, biometric data) as a special category
• Require opt-in consent or strict limitations before processing sensitive data

Practical takeaway: For multi-state compliance, companies often build one unified rights request process and then configure state-specific logic behind the scenes (e.g., which rights apply to which residents).

Step 4 – Apply It: Mapping Rights to UI Design

Imagine you are helping design a privacy center webpage for a company that operates nationwide and is subject to multiple state privacy laws (including California, Colorado, Oregon, Texas, and others).

Thought exercise:

1. You have to include at least four self-service options on the page. Based on the common rights described in Step 3, list which four you would prioritize and how you would label them in plain language.

• Example labels (you can adapt or improve):
• “Request a copy of my data”
• “Delete my information”
• “Correct my information”
• “Opt out of targeted ads and data sale”

1. For each option, jot down one piece of information you would need from the user to authenticate them (e.g., email, phone number, account login) without over-collecting data.

1. Reflect: How does data minimization (from Module 2) influence what you collect in the rights request form?

Write your answers in a notebook or text editor. Focus on designing a process that could work across multiple states, not just one.

Step 5 – State Data Security & Breach Notification: Common Patterns

All U.S. states and many territories have data breach notification laws, and many have explicit security requirements. While details vary, there are recurring elements.

A. What triggers a breach notification?

Typically:

• Unauthorized acquisition or access to personal information (PI) that compromises security, confidentiality, or integrity.
• PI often defined as: name + one or more of: SSN, driver’s license/state ID, financial account + access code, certain biometrics, sometimes medical or health insurance info.
• Many states have expanded definitions to include online credentials (username + password) and some forms of biometric data.

B. Risk of harm analysis

Many states allow a risk of harm assessment:

• If an investigation shows the breach is unlikely to result in harm (e.g., data encrypted, no evidence of misuse), notification to individuals may not be required.
• Some states still require notice to the AG or regulator even if individual notice is not required.

C. Timing and content

• Notification must be given “without unreasonable delay”, often with an outer time limit (e.g., 30–60 days in some states).
• Notices must include key facts: what happened, what information was involved, what the organization is doing, and steps individuals can take.

D. Security requirements

Some states (e.g., California, New York, Massachusetts) go beyond breach notice and:

• Require “reasonable security procedures and practices” appropriate to the nature of the information
• Sometimes reference industry standards or require specific elements (e.g., written information security programs, encryption, access controls)

Link to earlier modules:

• These laws operationalize “reasonable security” from Module 2.
• They complement federal breach rules (e.g., HIPAA, GLBA) from Module 3, often leading to dual or parallel notifications in regulated sectors.

Step 6 – State Spotlights: California, Oregon, and Texas

Here are simplified, practical examples of how three states add distinct twists to the common patterns.

---

1. California – CCPA/CPRA + Delete Act

Key privacy features:

• Broad definition of “sale” (any disclosure for valuable consideration), plus separate concept of “sharing” for cross-context behavioral advertising.
• Expanded rights under CPRA (effective 2023): access, delete, correct, opt out of sale/sharing, limit use of sensitive personal information.
• Enforcement: California Privacy Protection Agency (CPPA) + Attorney General.

Data broker & Delete Act angle:

• California already had a data broker registration law (Cal. Civ. Code § 1798.99.80+).
• The California Delete Act (SB 362, enacted 2023) builds on this by:
• Creating a one-stop deletion mechanism: California residents can submit a single request that registered data brokers must honor by deleting personal data about them (subject to exceptions).
• Imposing ongoing deletion obligations and stronger compliance requirements on data brokers.

Governance and security impact:

• Data brokers must maintain accurate inventories of personal data and robust identity matching processes to honor delete requests.
• Stronger need for access controls, audit logs, and verification procedures to avoid accidental deletion of the wrong person’s data.

---

2. Oregon – Stronger sensitive data stance

Oregon’s comprehensive privacy law (enacted in the mid-2020s) is notable for:

• A relatively broad definition of sensitive data, including some categories that go beyond other states.
• Emphasis on opt-in consent for sensitive data and clear notice requirements.

Practical effect:

• Companies must perform more granular data classification to identify sensitive data.
• Systems must support differential consent flows (e.g., separate prompts for precise location or health-related information).

---

3. Texas – Large-state law with distinct scope

Texas adopted a comprehensive privacy law in the early-to-mid 2020s.

Typical features include:

• Controller/processor framework similar to other states, with duties like data minimization and security.
• Consumer rights: access, delete, correct, opt out of targeted advertising and certain profiling.
• Some differences in coverage thresholds and exemptions (e.g., small businesses, certain nonprofits, or entities already covered by federal sectoral laws may be treated differently).

Operational challenge:

• Organizations must track which residents are covered and which exemptions apply, leading to complex state-based logic in privacy programs.

---

Takeaway: Even when states use similar language (e.g., “sensitive data,” “sale,” “controller”), you cannot assume the definitions or obligations are identical. For multi-state compliance, compare definitions and scope carefully.

Step 7 – Mini Case Study: Multi-State Breach Response

You are the privacy lead for a mid-size e-commerce company operating online throughout the U.S.

Scenario:

• An attacker exploited a vulnerability in your web application.
• Exposed data: names, email addresses, hashed passwords, and in some cases, saved shipping addresses.
• Affected residents: California, Texas, Oregon, and several other states.

Your task:

1. Identify which laws are in play.

• Think about: state breach notification laws vs. comprehensive privacy laws.
• Consider whether any sectoral federal laws from Module 3 would apply (e.g., are you a bank or healthcare provider? likely not here).

1. Outline a basic triage plan (3–5 bullet points):

• How will you determine if the incident meets each state’s definition of a “breach”?
• How will you handle risk of harm analysis (e.g., hashed passwords – how strong is the hashing, any evidence of misuse)?
• How will you decide who to notify (individuals, AGs, regulators, credit bureaus) and by when?

1. Link to reasonable security:

• List 2–3 security measures (from Module 2’s “reasonable security” discussion) that regulators might expect you to have had in place (e.g., strong password hashing, MFA, patch management).

Write down your answers. Then, compare them mentally to how a real organization might respond: cross-functional incident response team, outside counsel, forensics, and regulator engagement.

Step 8 – Quiz: Common Elements vs. Unique State Features

Answer this quick question to check your understanding of common patterns vs unique features in state privacy laws.

Step 9 – Flashcards: Key Terms Review

Use these flashcards to reinforce core concepts from this module.

Step 10 – Pulling It Together: Multi-State Compliance Strategy

To close this module, connect the concepts to a practical strategy for handling the state patchwork.

A. Start with a common baseline

Design a baseline privacy and security program that:

• Implements reasonable security (Module 2) for all personal data
• Offers a core set of rights (access, delete, correct, opt out of targeted ads/sale) to all users where feasible, not just where legally required
• Uses data minimization and purpose limitation to reduce risk

B. Layer on state-specific rules

Then, add state-specific layers, for example:

• California: Treat “sale” and “sharing” distinctly; support the Delete Act for data broker operations; apply special rules to sensitive personal information.
• Oregon, Texas, and others: Align consent and sensitive data handling with each state’s definitions and thresholds.
• Breach notification: Maintain a state-by-state matrix of timelines, definitions, and regulator notice requirements.

C. Governance and documentation

• Maintain a data inventory and records of processing that identify:
• What data you hold
• Which states’ residents are affected
• Whether data is sensitive or subject to special rules (children, health, financial, etc.)
• Document risk assessments, data protection impact assessments (DPIAs) where required, and incident response plans.

D. Continuous updating

State laws are changing quickly (especially 2023–2025 and likely beyond). Organizations need to:

• Monitor new state laws and amendments
• Update privacy notices, rights workflows, and security controls accordingly

By understanding the common patterns and unique innovations (like the California Delete Act), you can better analyze new laws as they appear and design privacy and security programs that scale across many U.S. states.