10 New U.S. State Privacy Laws: Your Questions Answered—PART 1

Between March 2024 and January 2026, a wave of 10 new U.S. state “right-based” data privacy laws shake up how companies handle personal data. It’s like trying to juggle while tap dancing for businesses – protecting customer data and staying in the good graces of privacy rules is no easy feat. 

But here’s the deal – the crucial first step in the juggling act is to make sure everyone in your organization knows where sensitive data is hiding.  

How? With data discovery tools – these help you pinpoint data no matter where it lives so you can see the whole picture to effectively protect it. 

Now, let’s dive into part one of the frequently asked questions from our live Q&A session with cybersecurity legal expert, Scott M. Giordano, Esq., where we addressed the queries submitted by our engaged audience. 

Giordano clarified that headquarters location does not matter; if an organization operates in a state and meets the criteria, it must comply with those laws. He then explained the two tiers of thresholds for being subject to these laws, which vary from state to state: conducting business and processing personal data.  

For example, if conducting business in California, Texas, or Florida the revenue threshold can range from zero dollars up to billions. For processing consumers’ personal data, the threshold can range from zero to 100,000+ persons or households. All depending on the state. 

Giordano also added that you can run afoul of these laws by selling personal data. In Texas, any sale will put you under the jurisdiction of the Texas state law. California, you must get half your revenue from selling or sharing it. Every state can be different. 

Giordano emphasized that the more contacts a company has within a state, the more likely it is to be subject to its laws, especially if it has employees there. 

According to Giordano, yes, federal laws typically take precedence over state laws which is called federalism. However, there are nuances depending on the specific regulations such as HIPAA, which allows states to build on top of it without conflicting.  

All these state laws have carve-outs to address any conflict between the state law and the federal law. They acknowledge that federal law is prime in order to stay out of the courts.  

Yes, biometrics is booming, according to Giordano, and getting significant attention from lawmakers. As such, all 10 new laws incorporate them into special personal or sensitive data.  

An Illinois law passed a few years ago incorporates facial recognition, too. And with biometrics there also are regulations around selling and sharing that data, he added. 

Depending on what is meant by privacy exposure, Giordano recommended exploring the NIST privacy framework, which covers various considerations effectively. 

Giordano explained the challenge of honoring global privacy controls while using pixels, emphasizing the need to balance tracking with user preferences.  

If the pixels are embedded there is no way to honor an opt-out request not to track, sell, or share. Giordano concluded that to use pixels and comply, organizations must develop a process to prescreen people who are not opting out of tracking. 

Giordano replied that, yes, legally, commercial entities can deny access based on tracking preferences, though exceptions exist for certain government-related services. For example, if you have a private agency providing healthcare on behalf of the government, then they could NOT deny access because it is essentially an extension of the federal government. 

Giordano stated no it doesn’t and highlighted gaps in HIPAA coverage, leading to the development of additional laws like the Washington My Health My Data Act.  

Because HIPAA came out in the 1990s, it still needs to be updated periodically to keep up with rapid changes in technology which effect personal and private data.  

Giordano believes the answer is yes and noted health services can be broadly defined.  

For example, what if you are on your smartphone and search Google about certain healthcare services? That may put you within the range of the law. It can be a low threshold to clear. 

According to Giordano, absolutely and enthusiastically, yes. Synthetic data serves as a valuable tool for testing systems and enhancing cybersecurity. That is the whole point: using it so you can more effectively test your systems and cybersecurity.  

He added that it works well and it is a common request for technology vendors to use synthetic data during test drives of their systems before purchase. He believes it is a great best practice and well worth the investment. 

Giordano replied, “Shockingly little.” The vast majority of these laws DO NOT apply to nonprofits, only to commercial enterprises. That contrasts with the EU where nonprofits, government agencies, and all others must comply with GDPR in equal measure. However, in the U.S., government agencies have their own set of laws. 

Giordano stated this typically is not true because higher education is exempted in most of these states. That’s not to say that higher ed does not have a long list of privacy requirements based at the federal level, like FERPA and GLBA. 

While criminal punishment is not common, civil liability for directors and officers is increasing, particularly regarding cybersecurity, Giordano said.  

To that point, an entire new body of law has developed over the past couple of years called Mission Critical Theory. It states if there is a particular function in your company that is mission critical to your success and other factors, then directors and officers will be held to a much lower standard for liability. And one of the mission critical items is cybersecurity.  

With that said, there will be no criminal punishment for these folks, however, we have already seen the world change in that respect, and they are going to be held personally responsible in civil law, he concluded. 

Only California specifically includes employee and job applicant data, Giordano said. That doesn’t mean, however, if employee data is stolen and ends up on the internet you may be liable under common law, tort theory. 

Giordano believes it is profiling at the same time which the law will govern. He went on to say there is not necessarily a need for a specific AI law, although we may get there soon.   

Giordano went on to expand upon a few important points about profiling:  

1. New draft mandates are coming up again. He is not sure when it will be live, but they give consumers the opportunity to opt out and they must get noticed.  

2. There is a transparency issue where you must list on your website the purpose of this technology, the logic used, the output, how the company is going to use it, and whether it is reliable. 

3. Giordano thinks this is going to put limits on companies using AI for profiling and to make automated decisions because of the forced transparency. 

Now read part 2 of the questions asked during the webinar.

Watch the full webinar to delve deeper into these answers plus gain other valuable insight such as: 

• Understand more about each of the 10 new state data privacy laws 
• Demystify the new Global Privacy Control (GPC) rules 
• Explore contract mandates when working with data processors and third parties 
• Learn common compliance “gotchas”