Skip to main content
GrowthPath AI
Cybersecurity

Every year, more states pass their own data privacy laws. If you do business across state lines, you could be subject to regulations you've never heard of.

Joanne Jimenez
State Privacy Laws Small Business Compliance Consumer Privacy Data Protection Regulatory Compliance
A map of the United States with multiple states highlighted in different colors to represent various data privacy laws and compliance zones.

I’ll be honest: a few years ago, I thought data privacy laws were something only tech giants and Fortune 500 companies needed to worry about. Then I got a panicked call from a friend who runs a small e-commerce business. She’d just discovered her company might be subject to California’s privacy law, even though she operates out of Ohio. Her customer list had grown, and suddenly she was playing catch-up with regulations she didn’t even know existed.

That conversation was my wake-up call. State privacy laws aren’t just for the big players anymore. They’re multiplying fast, and if you’re doing business across state lines (even just selling products online), you need to pay attention.

Key Takeaways

  • At least 20 states have passed comprehensive consumer privacy laws as of 2025, with more expected in 2026¹.
  • Small businesses can trigger compliance obligations based on revenue thresholds or the number of consumers whose data they process, not just company size.
  • Common rights granted under state privacy laws include data access, deletion, correction, and opt-out of data sales.
  • Multi-state compliance is complex because each law has different thresholds, definitions, and requirements.
  • Ignoring state privacy laws can result in fines ranging from $2,500 to $7,500 per violation, depending on the state².

Why State Privacy Laws Matter for Small Businesses

Here’s the thing most small business owners don’t realize: you don’t need to be a data broker or tech company to fall under these laws. If you collect customer information (names, emails, purchase history, IP addresses), you’re handling personal data. And depending on where your customers live and how much data you collect, you might already be subject to state privacy laws.

The patchwork of state regulations started with California’s Consumer Privacy Act (CCPA) in 2018, but it didn’t stop there. Virginia, Colorado, Connecticut, Utah, and a growing list of other states have passed their own versions³. Each state wants to protect its residents, which sounds great until you realize that means navigating 20+ different sets of rules.

Do state privacy laws apply to small business operations? The answer is: it depends. Most state laws include thresholds that determine who must comply. For example, California’s law applies to businesses with gross annual revenues over $25 million, or those that buy, sell, or share personal information of 100,000 or more consumers⁴. But other states have lower bars. Colorado’s law kicks in at businesses that control or process data of 100,000 or more consumers, or derive revenue from personal data of 25,000 or more consumers⁵.

If you’re thinking “I’m just a small business, surely I’m exempt,” think again. Those thresholds can sneak up on you faster than you’d expect, especially if you’re growing or selling online.

What These Laws Actually Require (In Plain English)

I’ve read through more state privacy laws than I care to admit, and they all share some common themes. At their core, these laws give consumers new rights over their personal data and require businesses to respect those rights.

The big ones include the right to know what data you’re collecting, the right to access that data, the right to delete it, and the right to opt out of having their data sold or shared. Some newer laws, like those coming into effect in 2026, also include the right to correct inaccurate information⁶.

On the business side, you typically need to update your privacy policy to explain what data you collect and why, create processes for consumers to exercise their rights (like submitting deletion requests), and in some cases, conduct data protection assessments for high-risk processing activities.

One compliance consultant I spoke with, Maria Chen, Director of Privacy Services at DataShield Solutions, put it this way: “Small businesses often assume they can copy-paste a privacy policy template and call it a day. But these laws require you to actually map your data flows, understand what you’re collecting, and have systems in place to respond to consumer requests within specific timeframes.”

The timeframes matter too. Most states require you to respond to consumer requests within 45 days, with some allowing a 45-day extension if needed⁷. That means you need actual processes in place, not just good intentions.

This is where things get tricky. Consumer privacy laws by state aren’t uniform. They’re similar enough to be confusing and different enough to be frustrating.

Take the definition of “sale” of personal data. Under California’s law, sharing data with third parties for monetary or other valuable consideration counts as a sale⁸. That means if you’re using certain advertising pixels or analytics tools, you might technically be “selling” data. Other states define this differently or focus on “targeted advertising” instead.

Or consider the exemptions. Some states exempt small businesses entirely if they fall below revenue or data volume thresholds. Others exempt certain types of data (like employee data or B2B contact information) but only under specific conditions. Texas, for example, includes broader exemptions for small businesses with limited data processing⁹.

Then there’s the question of enforcement. Some states allow private rights of action (meaning consumers can sue you directly), while others limit enforcement to the state attorney general. The potential penalties vary wildly. In California, you could face $2,500 per violation or $7,500 per intentional violation¹⁰. In Virginia, it’s up to $7,500 per violation¹¹.

I’m not trying to scare you, but I am trying to be realistic. Compliance across multiple states isn’t something you can wing.

Practical Steps to Get Compliant (Without Losing Your Mind)

Here’s what I recommend based on conversations with privacy lawyers and my own research into state privacy compliance small business strategies:

Start with a data inventory. You can’t protect data you don’t know you have. Map out what personal information you collect, where it comes from, who has access to it, and where it goes. This sounds tedious (because it is), but it’s foundational.

Next, figure out which state laws apply to you. Look at where your customers are located and whether you meet the thresholds for those states. If you’re close to a threshold, assume you’ll cross it eventually and plan accordingly.

Update your privacy policy to reflect your actual practices. Make sure it’s written in plain language and covers all the disclosures required by applicable state laws. This isn’t just about legal compliance. A clear privacy policy builds trust with customers.

Create a process for handling consumer requests. How will someone submit a request to access or delete their data? Who on your team will handle it? How will you verify the person’s identity? Document your workflow and train your team.

Consider implementing a universal opt-out mechanism. Several states now recognize universal opt-out signals (like Global Privacy Control) that let consumers opt out of data sales or targeted advertising across all websites at once¹². Supporting these signals can simplify compliance and demonstrate good faith.

If you’re using third-party vendors (payment processors, email marketing platforms, analytics tools), review your contracts. Many state laws require you to have data processing agreements with vendors that handle personal data on your behalf.

Finally, stay informed. State data privacy laws in 2026 and beyond will continue to evolve. Subscribe to updates from trade associations or privacy-focused newsletters. The landscape is shifting fast, and what’s compliant today might not be next year.

Looking Ahead: What’s Coming in 2026 and Beyond

The momentum behind state privacy laws shows no signs of slowing. As of early 2025, several states have laws scheduled to take effect in 2026 and 2027¹³. States like Kentucky, Maryland, and Nebraska have joined the growing list of jurisdictions with comprehensive privacy legislation.

I expect the trend to continue. Without a federal privacy law to set a national standard, states are filling the gap with their own approaches. Some advocates push for federal legislation to preempt this patchwork, but until that happens, businesses operating nationally need to prepare for an increasingly complex regulatory environment.

There’s also growing attention to specific issues like children’s privacy, biometric data, and AI-driven decision-making. States are layering on additional requirements in these areas, which means staying compliant isn’t a one-time project, it’s an ongoing commitment.

From a practical standpoint, I think small businesses should aim for a baseline level of data protection that meets or exceeds the requirements of the strictest state laws. This “highest common denominator” approach can be more efficient than trying to tailor your practices to each individual state.

Conclusion

State privacy laws are no longer an abstract concern or something only enterprise companies need to manage. If you’re collecting customer data and doing business across state lines, these regulations apply to you. The good news is that compliance doesn’t have to be overwhelming. Start with the basics: understand what data you have, know your obligations, and build processes that respect consumer rights.

I’ve seen small businesses successfully navigate this challenge, and the ones that do it well often find it gives them a competitive advantage. Customers care about privacy. Demonstrating that you take it seriously builds trust and sets you apart.

The landscape will keep changing, but the fundamentals remain the same. Be transparent about what you collect, give people control over their data, and stay informed about new requirements. That’s not just good compliance, it’s good business.

Citations

  1. International Association of Privacy Professionals, “US State Privacy Legislation Tracker,” 2025.
  2. National Law Review, “State Privacy Law Penalties and Enforcement Overview,” 2024.
  3. Bloomberg Law, “State Privacy Law Tracker,” 2025.
  4. State of California Department of Justice, “California Consumer Privacy Act (CCPA) Regulations,” 2023.
  5. Colorado Attorney General, “Colorado Privacy Act Implementation Guide,” 2024.
  6. National Conference of State Legislatures, “State Consumer Privacy Laws: 2026 Updates,” 2025.
  7. Perkins Coie, “State Privacy Law Compliance Timeline Comparison,” 2024.
  8. California Office of the Attorney General, “CCPA Regulations: Sale of Personal Information,” 2023.
  9. Texas Attorney General, “Texas Data Privacy and Security Act Summary,” 2024.
  10. State of California Legislative Information, “California Consumer Privacy Act of 2018,” Section 1798.155.
  11. Virginia General Assembly, “Virginia Consumer Data Protection Act,” 2021.
  12. Future of Privacy Forum, “Global Privacy Control and State Privacy Laws,” 2024.
  13. OneTrust, “US State Privacy Law Effective Dates and Requirements,” 2025.