Before diving into this week’s edition, I want to take a moment and thank the numerous readers who sent me personal messages and commented on my LinkedIn post with words of encouragement and empathy on my dad’s and my dog’s passing (if you missed last week’s newsletter, check it out here).

I know it’s a long process, and I’m feeling really lucky for such a special community supporting me.

Now back to our privacy fun …

During a LinkedIn Live last week on privacy program management (link to replay here), an interesting question popped up that I hear all the time from companies.

Do we need a separate privacy program for every state we operate in?

The short answer is no. But the longer answer is worth talking through. Because the way most companies approach multi-state privacy compliance is either overly complicated or dangerously oversimplified, and neither one serves them well.

Let me start with where we are right now, because the landscape has shifted dramatically and quickly.

Take 60 seconds and answer these five questions honestly:

  1. Do you know which states currently require your company to comply with a privacy law?
  2. Do you know which state has the strictest requirements that apply to your business?
  3. Is your program built to the strictest requirements across those states, not just the ones where you first launched?
  4. Has someone reviewed your program in the last six months for new or amended laws?
  5. Is there one named person accountable for keeping your privacy program current?

If you answered no to a question, this newsletter is for you. If you answered yes to all five, you’re a rockstar and keep reading as I think you’ll still glean a few helpful nuggets!

The Patchwork Is Real and It’s Growing

In 2018, California became the first U.S. state to pass a comprehensive consumer privacy law. For a few years, it was the only one. Then, Virginia and Colorado joined in 2021. Then, Utah and Connecticut in 2022. As of today, there are 19 states with signed comprehensive privacy laws on the books, with more working their way through state legislatures right now. As of writing this, Oklahoma is close to being #20.

And then of course, we have amendments to consider, like my childhood state of Connecticut which has made multiple amendments. For a full 2025 recap of amendments, I encourage you to check out this IAPP article.

Think about that trajectory. It took three years to go from one state law to five. It took less than two more years to reach nineteen. And while Congress has debated a federal privacy law for years, nothing comprehensive has passed. That means companies operating across state lines are navigating a growing patchwork of requirements that are similar in many ways but different in the details that matter.

If your organization does business in multiple states, and most do, this is your reality. The question is not whether to pay attention to it. The question is how to build a program that handles it without creating a compliance nightmare.

Privacy is like HR and Tax

Here is an analogy that tends to make this click immediately.

Think about how your company manages employment law compliance. Federal law sets a baseline. State laws layer on top, with different wage requirements, leave policies, workplace safety rules, and more. Some cities even have their own local ordinances on top of that. The details vary everywhere.

Does your HR team build a completely separate process for every state? No. They build one HR function, one set of processes, one system, and they build it to handle the variations. They know which states have stricter rules, they track changes in the law, and they make sure their processes meet the highest applicable standard. The function is unified. The knowledge of nuance lives within it.

Tax works the same way. Federal returns, state returns, sometimes local returns, all with different rules, different rates, different deadlines. Your finance team does not build twelve separate tax departments. They build one function with the expertise and tools to handle the complexity.

Privacy compliance works exactly the same way. You do not need nineteen programs. You need one well-built program designed to handle the variations across state lines.

Build to the Highest Standard and You Are Covered Everywhere

This is the strategic insight that changes how companies approach multi-state compliance: If you build your privacy program to meet the strictest applicable requirements, you will meet every other state’s requirements by default.

State privacy laws share a common core. Most give consumers similar rights, including (but not all) the right to know what data you have on them, the right to correct it, the right to delete it, and the right to opt out of certain uses. Most require privacy notices, data processing agreements with vendors, and some form of risk review for higher-risk activities. The framework is largely consistent.

Where they differ is in the details. Here is what that actually looks like in practice:

Consumer request response timelines. Some states give you 45 days to respond to a consumer data request. Others allow 60 or 90 days. You’ll need to build a program that works best operationally and is compliant. Most of the companies we’re working with would pick the strictest standard – so here it would be that all requests in the US are 45 days. Remember, globally it’s often 30 days, which throws an entire new challenge into the mix.

Sensitive data definitions. Most states define certain categories of data as “sensitive,” and some require additional protections or opt-in consent before collecting or using them. But the lists are not identical. Some states include precise geolocation. Some include financial data. Some include union membership or immigration status. Building to the broadest combined definition means you are covered regardless of which state your customer lives in.

Here are some of the common sensitive data fields … and this is an area you don’t want to risk.

Coverage thresholds. Some states apply their privacy law to any company that processes data on as few as 35,000 residents per year. Others set the bar at 100,000. If you sized your program to one state’s threshold and have since grown, you may now be subject to laws you are not accounting for.

The practical approach is to map the requirements across the states where you operate, identify the strictest standard in each area, and build to that. Yes, this means your program may do more than any single state technically requires. That is the point.

Where to Start: It Depends on Where You Are

Not every organization is starting from the same place. If you haven’t done a full gap analysis against each applicable law, I recommend starting there.  If you have a program in flight and are struggling to keep up with the fast-paced changes, pick the riskiest area of the company and stay focused on those changes in privacy laws.

Work with the business and operations to determine if state-by-state or the strictest requirements is best. Here are some specific ways on how to get started on keeping up with the information and how to balance it all. 

One Program, Built to Last

The companies that handle multi-state privacy compliance well are not the ones with the biggest legal teams or the most sophisticated technology. They are the ones who made a deliberate decision to build a unified, scalable program rather than a patchwork of reactive fixes.

One program. Built to the highest standard. With someone owning law-change monitoring and a regular review cadence to make sure it still fits.

Go back to those five questions at the top of this newsletter. If any of them surfaced a gap, that is your starting point. Pick the one that feels most urgent and do something about it this week, even if it is just putting a 30-minute review on the calendar.

Small, consistent steps are how good privacy programs get built. And they are a lot less painful than scrambling after the fact.

What’s one step you can take this week?

Until next week,

Jodi

💡 When you’re ready, here’s how we can help:

⚙ Privacy Advisory & Implementation: We help companies navigate privacy requirements with confidence. Our advisory support covers strategy, operations, and real-world implementation.

⚙ Fractional Privacy Services: We provide fractional privacy leadership tailored to your needs and pace. From program development to day-to-day support, we help you build and sustain a strong privacy program.