As this year began, there were five comprehensive state privacy laws in effect. However, by the year of 2026, this will more than triple with, at the time of writing, 17 States having passed similar laws. Against this backdrop, and with a lack of Federal Standard, I have seen a tendency to adhere to the ‘strictest’ law, or the State with the largest economy, which would be California.
From a practical standpoint this makes a lot of sense. It strives to place a company in the best position for additional laws as they come into effect and helps to streamline operational processes and thus increase efficiency. However, there is danger in assuming that California’s standard is the only one you’d have to adhere to. Below are two key differences organizations should consider as they strive to operate in this new environment.
The below is not legal advice – please consult legal counsel for determining how anything may apply to your specific scenario
Not all risk assessments are created equal
While the California Consumer Privacy Act (CCPA) calls for the need of risk assessments the California Privacy Protection Agency has yet to fully define what exactly that looks like in the regulations. Other States, such as Colorado have been a bit more proactive.
Colorado’s regulations (Part 8) define the need for a data protection assessment, and are much more specific to what needs to be considered (coming in at roughly two and a half pages of requirements). It’s unlikely a data privacy professional can answer all of the various considerations exclusively under their own power. Colorado seeks evaluating conditions such as – psychological harm, financial harm, security harms and so on. Some of these may require a very specialized level of knowledge to adequately evaluate. Partnerships will be key in ensuring a valid evaluation can be conducted.
It may be that California’s requirements, once issued, are more stringent than that of Colorado, however until that time Colorado in my opinion has one of the most in-depth evaluation processes required for a data protection / risk assessment. Standardizing on the California requirements may not meet the standard of Colorado, but Colorado, by being more complete, may satisfy the eventual requirements of California and other states. This is just one example of where a different State law may provide a better baseline for compliance activity.
NonProfit Status doesn’t always mean exempt
While most states (such as California) do exempt nonprofits Colorado, Delaware, Indiana, New Jersey and Oregon cover nonprofits in their data privacy laws. This means that even as a nonprofit, you may still have obligations under one or more of those laws. Should your nonprofit operate in, or target users of those States you may have work to do in order to ensure compliance with the respective laws. This is particularly true if you have never undertaken this work before for other compliance reasons.
Further, every State now requires contractual terms when enlisting service providers / data processors. It may be that you become subject to the laws (even in States other than the above) depending on who your clients are and what they may subject the nonprofit to by contract. Consideration should be given to how these new laws come into effect impact your nonprofit, and proper funding / staffing should be obtained to ensure compliance obligations are met, ideally ahead of enforcement deadlines.
Conclusion
Data Privacy laws will continue to take center stage for the next several years. As these laws are refined there will increasingly be a need to standardize to a baseline. In the United States, that baseline should likely be California. However, as shown above, there are scenarios where other States may require additional compliance work. It would be dangerous to assume that just because you are compliant with the CCPA that you could pass compliance obligations for a regulator in a different state or country.
In all likelihood it will get more difficult before it gets easier. Unless Congress passes a pre-emptive Federal law, I fully expect the patchwork of laws to continue to grow, and the requirements to comply with all of them to continue to expand. Organizations will be well served to ensure they are periodically reviewing their compliance programs, and adapting them as each new law goes into effect. Privacy compliance is a moving target, and until that changes you’ll never be done. This is why it’s so important for anyone involved in the field (or who funds those teams) to understand the current reality. The proper level of investment is required from the company / organization so it can better respond to changes as new laws enter enforcement.