U.S. State privacy laws impose many new obligations on businesses that collect “personal information” from residents of those states, including:

  • California Consumer Privacy Act of 2018, updated by the California Privacy Rights Act of 2020 (“CCPA”)
  • Virginia Consumer Data Protection Act (VCDPA)
  • Colorado Privacy Act (CPA)
  • Connecticut Data Privacy Act (CTDPA)
  • Utah Consumer Privacy Act (UCPA)
  • Illinois Biometric Information Privacy Act (BIPA)

To help our clients address, implement and operationalize the broad scope of these laws and their implementing regulations, our privacy compliance team has developed a streamlined process to make U.S. state privacy law compliance efforts effective and efficient.

Polsinelli regularly helps clients understand and comply with these obligations by providing accurate, clear, pragmatic legal advice. Our business-focused approach does more than advise the letter of the law regarding U.S. privacy laws. Drawing on many years of experience with the ways in which organizations approach privacy compliance, we adopt a risk-based approach to add real value to our clients’ businesses. Our team regularly advises clients on privacy notices, privacy complaints and investigations, consumer requests, vendor diligence and agreements and identifying and operationalizing opt-out processes for the sale and sharing of personal information. 

Our services include:

  • Developing comprehensive privacy compliance programs to address the varying legal obligations created by this patchwork of laws.
  • Assisting organizations in implementing and maintaining their compliance programs and adapting to the changing legal landscape.
  • Helping organizations integrate their US compliance obligations with existing programs implemented to address laws such as the EU’s GDPR.
  • Helping organizations understand the varying exemptions which apply to certain industry sectors, such as financial institutions subject to GLBA, and health care companies subject to HIPAA.
  • Providing outside privacy counsel services to address operational issues such as vendor management, internal training, consumer rights, and data mapping.
Related Capabilities
Biometric Privacy LawData Breach & Incident ResponseFinancial Institutions PrivacyHIPAA/Health Information Privacy & SecurityInformation Security (InfoSec)International PrivacyPrivacy & Cybersecurity CounselingPrivacy & CybersecurityPrivacy Litigation
Publications
All Publications
White House Draft EO Targets State AI Laws as New EO Emphasizes Security
Key Takeaways White House draft EO proposes overriding state AI laws with a uniform national standard. A leaked executive order targets over 1,000 state-level AI bills, including laws in California and Colorado, and calls for a centralized federal approach to AI governance. The draft EO signals a potential shift toward federal preemption of state consumer protection laws. If implemented, it could limit states’ ability to regulate AI, disrupt existing compliance strategies and create new litigation exposure for developers and deployers. Organizations should assess AI governance policies and prepare for evolving federal enforcement. Review internal protocols for alignment with likely federal standards, monitor preemption risks and consider how the Genesis Mission’s security directives may impact partnerships.  Last Tuesday, a draft executive order (EO) from the
Read More
$1.35M CPPA Fine Signals New Focus on Privacy Disclosures
Key Takeaways The CPPA fined Tractor Supply $1.35 million — more than double its previous largest penalty — for failing to comply with privacy notice and consumer rights requirements. This is the agency’s first enforcement action targeting job applicant notices and failure to update privacy disclosures annually. Businesses should expect heightened scrutiny and broader enforcement, including multi-year compliance obligations for violators. Earlier this week, the California Privacy Protection Agency (CPPA) levied the agency’s largest fine under the California Consumer Privacy Act. Announced on Sept. 26, the $1.35 million fine is the third enforcement action brought by the agency and a steep jump compared to its prior penalties — double the $632,500 amount levied against Honda in March 2025 and four times the CPPA’s second
Read More