If your organisation operates on both sides of the Atlantic, you are probably already familiar with the General Data Protection Regulation, usually known as GDPR. It has shaped how businesses collect, use, store, and protect personal data across the United Kingdom and European Union. But the United States has been building its own privacy framework too, and it does not look the same.

Instead of one single national privacy law, the US has developed a patchwork of state-level rules. California led the way with the California Consumer Privacy Act, known as CCPA, which was later strengthened by the California Privacy Rights Act, or CPRA. Since then, states such as Virginia, Colorado, Connecticut, Texas, Florida, and others have introduced their own comprehensive privacy laws.

For business leaders, this matters commercially as well as legally. If your organisation serves US consumers, sells online, uses targeted advertising, collects customer data, or operates across both the US and UK/EU markets, you need to understand how US state privacy laws for businesses differ from GDPR. The similarities are important, but the differences often shape your operational decisions, compliance costs, technology controls, and customer experience.

This guide explains the key differences between GDPR and US state privacy laws, including CCPA vs GDPR differences, CPRA explained in plain English, and what business leaders should do next.

What are US state privacy laws and how did they develop?

US state privacy laws are laws passed by individual US states to regulate how businesses collect, process, share, sell, and protect personal information. They usually give consumers rights over their data and place obligations on organisations that meet certain thresholds.

The most important point for business leaders is this: US privacy law is not one single system. It is a growing collection of state laws, each with its own scope, definitions, exemptions, enforcement model, and operational requirements.

Why the US chose state-by-state regulation rather than a single federal law

Unlike the European Union, the United States has not yet adopted one comprehensive federal privacy law that applies across the whole country. There are federal sector-specific laws, such as health, financial, and children’s privacy rules, but there is no single equivalent to GDPR for all personal data.

As a result, individual states have stepped in. California was the first major state to introduce a broad consumer privacy law, and other states followed with their own versions. This has created a fragmented legal environment where one business may need to comply with different rules depending on where its customers live.

For businesses, this means privacy compliance cannot be treated as a one-time legal document. It requires a flexible programme that can adapt to different state requirements.

The journey from Safe Harbor to CCPA — a brief timeline of US privacy law

The relationship between US and European privacy law has been shaped by international data transfers for many years. Earlier frameworks such as Safe Harbor and later transfer mechanisms were designed to help companies move personal data between the EU and US. These arrangements highlighted a wider issue: the US and Europe have different privacy traditions.

GDPR, which became enforceable in 2018, took a rights-based and accountability-led approach. CCPA came into force in 2020 and gave California consumers new rights over personal information held by businesses. CPRA then expanded and strengthened California’s framework, adding new protections and creating a dedicated privacy regulator.

Since then, the conversation has moved from “Does the US have privacy law?” to “Which US state privacy laws apply to our business?”

Which US states now have comprehensive privacy laws currently in force?

The US state privacy landscape continues to grow. California, Virginia, Colorado, Connecticut, and Utah were among the early states with comprehensive privacy laws in force. More states have since joined, including Texas, Florida, Oregon, Montana, Delaware, Iowa, Nebraska, New Hampshire, New Jersey, Tennessee, Minnesota, Maryland, Indiana, Kentucky, Rhode Island, and others at different stages of enforcement or implementation.

This is why business leaders searching for US data privacy regulations 2025 may quickly find outdated summaries. The landscape has continued to move beyond 2025. Any organisation serving US consumers should use current state privacy trackers, legal advice, and internal data mapping to confirm which laws apply.

How do US state privacy laws compare to GDPR?

GDPR and US state privacy laws share similar goals. Both aim to give individuals more control over personal data and require organisations to be more transparent. However, they are built on different legal foundations.

Lawful basis vs opt-out — the fundamental philosophical difference between the two frameworks

GDPR requires organisations to identify a lawful basis before processing personal data. This could be consent, contract, legal obligation, vital interests, public task, or legitimate interests. In other words, GDPR asks: “What legal basis allows you to process this data in the first place?”

Many US state privacy laws are more focused on notice, consumer rights, and opt-out controls. They often ask: “Has the consumer been told what is happening, and can they opt out of certain uses such as sale, sharing, targeted advertising, or profiling?”

This is one of the most important CCPA vs GDPR differences. GDPR tends to be broader and more principle-based. US state privacy laws often focus on specific consumer rights, disclosures, and restricted data uses.

Consumer rights under CCPA and CPRA vs data subject rights under GDPR

Under GDPR, individuals have rights such as access, rectification, erasure, restriction, portability, objection, and rights relating to automated decision-making.

Under CCPA and CPRA, California consumers have rights such as the right to know what personal information is collected, the right to delete, the right to correct, the right to opt out of sale or sharing, and the right to limit the use of sensitive personal information in certain circumstances.

Other state laws often provide similar rights, although the details vary. For example, the VCDPA CPA CTDPA overview typically includes rights to access, delete, correct, obtain a copy of personal data, and opt out of targeted advertising, sale of personal data, or certain profiling activities.

The terminology is different, but the operational challenge is similar: businesses need a reliable way to receive, verify, respond to, and document privacy requests.

Enforcement bodies: FTC and state attorneys general vs the ICO and EDPB

GDPR is enforced by European data protection authorities, such as the Information Commissioner’s Office in the UK and supervisory authorities across the European Economic Area. The European Data Protection Board helps promote consistent interpretation across EU authorities.

In the US, enforcement is more fragmented. The Federal Trade Commission can act against unfair or deceptive practices, but many state privacy laws are enforced by state attorneys general. California also has the California Privacy Protection Agency, which plays a major role in CPRA enforcement.

This means a business may face different regulators depending on the state, the type of data, and the nature of the alleged breach or violation.

Fines and penalties — how the consequences under US and EU law compare in practice

GDPR is known for its high maximum penalties, which can reach significant percentages of global annual turnover for serious infringements. US state privacy laws often use different penalty structures, with civil penalties calculated per violation or under specific enforcement powers.

However, business leaders should not treat US laws as lower risk simply because the penalty model differs. Regulatory investigations, consumer complaints, corrective action, legal costs, reputational damage, and disruption to operations can all be significant.

Which US state privacy laws apply to your business?

The answer depends on where your consumers are located, what type of data you process, how much data you process, your revenue, and whether you sell or share personal information.

California CCPA and CPRA — the benchmark standard, thresholds, and who qualifies

California privacy law for business is often treated as the benchmark because California led the modern US state privacy movement. CCPA applies to certain businesses that collect personal information from California residents and meet statutory thresholds. CPRA amended and expanded the CCPA framework, adding stronger rights and more detailed obligations.

CPRA explained simply: it strengthens the original CCPA by expanding consumer rights, creating additional rules for sensitive personal information, and increasing regulatory oversight.

Businesses should check whether they meet California’s thresholds and whether they collect, sell, share, or use personal information in ways covered by the law.

Virginia VCDPA, Colorado CPA, and Connecticut CTDPA — the expanding landscape

Virginia’s Consumer Data Protection Act, Colorado’s Privacy Act, and Connecticut’s Data Privacy Act are part of the next wave of state privacy laws. They share many common ideas, including consumer rights, privacy notices, data protection assessments for certain high-risk processing, and opt-out rights.

However, each law has its own definitions and requirements. Colorado is especially notable for its approach to universal opt-out mechanisms, which allow consumers to communicate privacy preferences through browser or device-level signals.

For organisations operating across multiple states, the safest approach is to build a privacy programme around the highest common operational standard, then adjust for state-specific differences.

Texas, Florida and the newer state laws entering enforcement in 2025

Texas, Florida, and other states have added to the complexity of state privacy law compliance. Some newer laws became effective or entered enforcement around 2025 and 2026, which is why business leaders should avoid relying on old compliance checklists.

The key point is that US privacy law is moving from a California-only issue to a national operational concern. Even without one federal privacy law US businesses can rely on, the state-by-state model is creating broad expectations around transparency, consumer rights, and responsible data use.

Do these laws apply to non-US businesses? The territorial question answered

Yes, they can. A UK, EU, or other non-US business may need to comply with US state privacy laws if it targets residents of a covered state, does business there, collects personal information from residents, and meets the relevant statutory thresholds.

For example, an e-commerce company based in the UK but selling to California consumers may need to assess whether CCPA and CPRA apply. A software company with customers in Virginia, Colorado, or Connecticut may also need to consider those state laws.

Headquarters location is not the only question. Market reach, customer location, data volume, and business model all matter.

What rights do US consumers have that your business must honour?

Although the details vary, most comprehensive US state privacy laws give consumers a set of rights that businesses must be able to recognise and fulfil.

The right to know, access, correct, and delete personal data

Consumers may have the right to know what categories of personal information a business collects, how it is used, where it comes from, and who it is shared with. They may also have the right to access specific information, correct inaccurate data, or request deletion.

From an operational perspective, this means your business needs clear request channels, identity verification steps, response timelines, internal ownership, and records of decisions.

The right to opt out of sale, sharing, and targeted advertising

Many US state laws give consumers the right to opt out of certain uses of their personal data. This may include the sale of personal data, sharing for cross-context behavioural advertising, targeted advertising, or profiling that produces significant effects.

This is especially important for marketing, advertising, analytics, and product teams. If your business uses pixels, advertising networks, customer data platforms, or third-party audiences, you need to understand whether those activities trigger opt-out obligations.

This is also why courses such as CCPA And CPRA Compliance For Marketing Teams can be a natural next step for marketing leaders who need role-specific training.

Sensitive personal information — the CPRA’s elevated protection category

CPRA introduced stronger rules around sensitive personal information. This can include data such as precise geolocation, racial or ethnic origin, religious beliefs, health information, union membership, financial account information, and other sensitive categories.

Other state laws also place special requirements on sensitive data, sometimes requiring consent before processing. Businesses should treat sensitive information as higher risk and apply stronger controls, clearer notices, and stricter access management.

Handling consumer privacy requests across multiple state frameworks simultaneously

The practical challenge is not just knowing the law. It is managing requests across different laws at scale.

A consumer may submit a request from California, Virginia, Colorado, Connecticut, Texas, or another state. Your team needs to know which rights apply, what deadlines are relevant, whether any exemptions apply, and how to respond consistently.

Customer service and operations teams often become the first point of contact. That is why CCPA And CPRA Compliance For Customer Support And Call Centers can support operational teams that need to recognise, route, and respond to privacy requests properly.

How should business leaders build a US state privacy compliance strategy?

US privacy law business leaders cannot rely only on legal teams. Privacy compliance needs leadership support, budget, technology, governance, and operational ownership.

Conducting a data inventory across your US operations

Start with a data inventory. Identify what personal information you collect from US consumers, where it comes from, where it is stored, who can access it, which third parties receive it, and how long it is retained.

This inventory should cover websites, apps, customer relationship management systems, marketing platforms, payment systems, support tools, analytics platforms, and vendor integrations.

Without a clear data inventory, it is very difficult to honour consumer rights or assess which laws apply.

Appointing privacy ownership at board and operational level

Privacy needs accountability. Senior leaders should understand privacy risk as part of overall business risk. Operational teams should know who owns privacy notices, consumer requests, vendor management, technical controls, and staff training.

A good privacy governance model defines responsibilities clearly. Legal may interpret requirements. Compliance may monitor controls. IT may manage security and access. Marketing may manage tracking and consent. Customer support may handle request intake. Leadership must ensure these teams work together.

Harmonising US state compliance with your existing GDPR programme

If your organisation already has a GDPR programme, do not start from scratch. Many GDPR controls can support US state compliance, including data mapping, privacy notices, access request workflows, retention schedules, vendor contracts, and security measures.

However, do not assume GDPR compliance automatically equals US state privacy compliance. US laws may require specific opt-out links, targeted advertising controls, sale or sharing disclosures, sensitive data limits, and state-specific request handling.

The best approach is to harmonise your privacy programme. Build one core privacy operating model, then add state-specific controls where needed.

FAQs

Does my UK-based business need to comply with US state privacy laws?

It may need to comply if it serves consumers in a US state with a privacy law and meets that law’s applicability thresholds. A UK-based business should review where its customers are located, how much personal information it collects, whether it sells or shares data, and whether it targets US residents.

Is a federal US privacy law coming soon and will it replace state-level laws?

There have been repeated discussions about a comprehensive federal US privacy law, but the US still does not have a single GDPR-style national privacy law. Whether a future federal law would replace or sit alongside state laws would depend on its final wording. For now, businesses should plan around the existing state-law patchwork.

What is the CPRA and how is it different from the original CCPA?

The CPRA is the California Privacy Rights Act. It amended and expanded the original CCPA. It added stronger privacy rights, introduced additional protections for sensitive personal information, and created the California Privacy Protection Agency. In simple terms, CPRA made California’s privacy framework more detailed and more demanding.

Conclusion

US privacy law is no longer something that only concerns California-facing businesses or US-headquartered organisations. The growth of state privacy laws means that any business with a US audience should understand its obligations and build a clear compliance strategy.

GDPR and US state privacy laws share common goals, but they work differently. GDPR is built around lawful basis, accountability, and broad data protection principles. US state laws tend to focus on transparency, consumer rights, opt-out mechanisms, targeted advertising, sale or sharing, and state-level enforcement.

For business leaders, the main lesson is simple: privacy compliance needs to be strategic. It affects marketing, customer support, legal, IT, product, vendor management, and leadership decision-making. The organisations that manage it well will be better placed to reduce risk, build trust, and operate confidently across borders.

Ready to build your organisation’s understanding of US privacy law? Start with our US State Privacy Laws Overview For Business Leaders course. It gives leadership teams the practical knowledge they need to understand the state privacy landscape, make informed decisions, and support a stronger compliance programme.

For teams that need more focused follow-up training, explore CCPA And CPRA Compliance For Marketing Teams, CCPA And CPRA Compliance For Customer Support And Call Centers, and CIPP/E Exam Preparation for professionals pursuing global privacy credentials.