After years of inaction, the United States has introduced comprehensive data privacy legislation that might have enough traction and bipartisan support to become federal law. While the American Data Privacy Protection Act is advancing through the federal legislative process and has progressed further than any other U.S. data privacy regulation, as of June 2023 there is still no data privacy regulation at the federal level. Several state legislatures, however, have already approved data privacy regulations. As these laws go into effect in 2023, many appear to have material alignment with the European Union’s General Data Protection Regulation—more alignment, it seems, than what is included in the proposed ADPPA. And with the ADPPA’s heavily debated preemption language and its precarious movement through Congress, the state regulations may be the supreme law of the land for some time.

Virginia, Colorado, Connecticut and Utah will begin enforcing new GDPR-inspired laws in 2023. Since the first state privacy laws were passed, Iowa became the sixth state to enact comprehensive data privacy legislation in March 2023, and in May 2023, Indiana, Montana and Tennessee enacted their regulations. Several other states have introduced privacy bills that are progressing through their respective legislatures, including Kentucky, Massachusetts, Mississippi, New York, Oklahoma and Oregon. Like the GDPR, all of these 2023 state laws are comprehensive—applying to businesses across various sectors in addition to current federal sector-specific regulations already in effect. Further, significant data protection concepts included in forthcoming state privacy laws are substantively identical across jurisdictions. Some legal scholars have concluded that current proposed state privacy regulations are modeled after Virginia’s Consumer Data Protection Act, which was fashioned after the GDPR. State legislative proposals use the same terminology as Virginia’s privacy law and the GDPR. The VCDPA and GDPR take similar approaches to consumer rights and business obligations, and both the VCDPA and GDPR employ comparable consent, cross-border data transfer and data breach notification requirements.