SACRAMENTO, Calif. — Since California led the way with the enactment of the California Consumer Privacy Act in 2018, a wave of similar legislation has swept across the United States. To date, 18 other states have crafted their comprehensive data privacy laws, creating a complex legal patchwork that aims to protect consumer data rights.
These legislative efforts reveal a growing national concern over data privacy as states assert individual stances in the absence of a unifying federal law. With nuances in regulations across state lines, both businesses and privacy professionals are grappling with the intricacies of compliance. The complexity has reached a point where even seasoned attorneys admit to struggling with the differing standards.
Each state’s privacy act, while sharing some similarities, introduces its definitions and stipulations around key concepts like the “sale” of personal data. For instance, Utah and Virginia define a sale as the exchange of personal data for monetary consideration by a controller to a third party. By contrast, states like Connecticut, Colorado, and California extend this definition to include monetary or other valuable considerations.
One of the notable examples of stringent privacy regulations is found in Maryland. The state recently passed the Maryland Online Data Privacy Act (MODPA), which is set to take effect on October 1, 2025. The act not only falls in line with some common provisions seen in other states but also introduces some of the strictest controls over sensitive data thus far.
Key aspects of MODPA exceed measures found in California’s regulations, previously considered the strictest. For example, MODPA bars the sale of personal data altogether and imposes stringent limits on the collection, processing, or sharing of personal data unless it is deemed “strictly necessary” to deliver a service or product explicitly requested by a consumer. This expression, “strictly necessary,” represents a high threshold that could significantly limit business operations.
Furthermore, MODPA requires that data collection should be “reasonably necessary and proportionate” to the services or products requested by the consumer, adding another layer of complexity to its enforcement. This language raises questions, even among experts, about the extent of data collection and customer consent.
In practice, businesses face significant challenges preparing for MODPA compliance due to its low applicability threshold. It pertains to any business controlling or processing the personal data of at least 35,000 consumers, or those managing the data of over 10,000 consumers if they earn more than 20% of their gross revenue from selling personal data. These conditions mean that many smaller businesses, previously unburdened by widespread privacy regulations, will need to reassess their policies.
Legal experts strongly advise companies to seek seasoned counsel to navigate these muddy waters. Ensuring compliance will involve a deep understanding of the state-specific restrictions and a proactive approach to data management and consumer privacy that goes beyond the current practice.
As states continue to evolve their privacy laws, the national landscape for data protection becomes an increasingly complex puzzle. Without a federal standard, companies operating across state lines must maintain a patchwork of policies conformatively compliant with each state’s laws. It highlights a critical need for nationwide guidelines on data privacy — something that lawmakers have yet to provide.