As in the months leading up to the EU General Data Protection Regulation’s effective date, businesses are sprinting to comply with the California Consumer Privacy Act by Jan. 1, 2020. While more American businesses focus on implications of the CCPA’s requirements as it relates to their business—because the CCPA governs data collection and use on American shores and in one of the largest economies in the world—reforms to other states’ consumer privacy laws cannot be ignored.

What practitioners in the past have deemed a patchwork of laws governing data collection is now a labyrinth. Compliance with the current strictest standard is not a guarantee of compliance, depending on a business’ industry and unique data collection or processing practices. Some states, eager to address data collected by evolving technologies, are redefining protected personal information in breach notification laws to cover biometric data, such as fingerprints, voiceprints, retina and iris images, without instituting distinct statutes governing this category of data like Illinois’ Biometric Information Privacy Act.