Consumer Data Laws in the US: Tracking the Latest Legal Updates

Data Quality & Privacy

Understanding the US privacy compliance landscape

One enforcement action, one data breach, one class-action lawsuit, any of these can create serious organizational risk for businesses that have not built a rigorous compliance posture. The patchwork of US consumer data privacy laws has grown significantly over the past several years, and the compliance and reputational costs of getting it wrong can be severe.

Understanding the state of consumer data privacy laws in the US requires grappling with a three-tier structure: federal sector-specific laws, state comprehensive privacy laws, and state sector-specific laws. No single federal omnibus law governs all of it, which means your compliance obligations depend heavily on where you operate, what data you collect, and which industries you serve.

The General Data Protection Regulation (GDPR) and the ePrivacy Directive are the most prominent international frameworks, and they have shaped how US regulators and legislators think about privacy rights. For a detailed breakdown of GDPR obligations, see our GDPR compliance guide.

At ZoomInfo, an all-in-one AI GTM Platform, we hold ISO 27001, ISO 27701, SOC 2 Type II, and TRUSTe GDPR/CCPA certifications, and we want to help you build an equally rigorous compliance posture. This guide covers the federal laws that apply to your business today, the 22 state laws now in effect or pending, how US law compares to GDPR, and how to operationalize compliance in your data infrastructure.


Why the US still has no single federal privacy law

US consumer data privacy laws operate across three distinct tiers. At the federal level, sector-specific laws govern particular industries: healthcare, financial services, credit reporting, children's online services, and email marketing each have their own statutory frameworks. Below that, a growing number of states have enacted comprehensive privacy laws that apply broadly to businesses collecting personal data about their residents. And at the third tier, states layer additional sector-specific laws on top of both federal and state comprehensive frameworks.

This structure creates compliance complexity that a single federal omnibus law would theoretically resolve. The American Privacy Rights Act of 2024 (also referred to as the American data privacy and Protection Act, or APRA) was the most recent bipartisan attempt to pass such a law. It stalled due to political climate shifts, industry lobbying, and the growing complexity of privacy concerns, and according to DLA Piper, a comprehensive federal privacy law is not expected to pass in the near future.

The practical implication for compliance teams is straightforward: plan for the patchwork, not the promise of federal preemption. Waiting for Congress to pass a single framework that overrides state laws is not a viable compliance strategy. The states have moved faster than the federal government, and that gap is widening.

The three-tier structure also means that federal and state obligations can interact in ways that are not always intuitive. A federal law may set a floor that state law exceeds, or a state law may be partially preempted by a federal framework in a specific sector. Healthcare organizations, for example, must navigate HIPAA at the federal level and then layer on California's CCPA/CPRA, which applies to employee and business-contact data in ways that HIPAA does not address.

For RevOps and GTM Engineering teams, the practical consequence is that your data infrastructure must be built to accommodate multiple overlapping obligations simultaneously. A contact database that is HIPAA-compliant is not automatically CCPA-compliant. An enrichment pipeline that satisfies Virginia's Consumer Data Protection Act may not satisfy California's CPRA. The architecture must be designed with jurisdictional flexibility from the start.


Federal privacy laws that apply to your business today

Federal data privacy laws in the US are sector-specific rather than comprehensive. Understanding which federal laws apply to your business is the baseline before layering on state obligations. These US consumer data protection laws may be preempted in part by state laws or may impose additional obligations on top of state floors, meaning federal compliance does not substitute for state compliance. Consumer data laws in the US operate at both levels simultaneously.

HIPAA (Health Insurance Portability and Accountability Act)

Covered entities: Healthcare providers, health plans, healthcare clearinghouses, and their business associates that handle protected health information (PHI).

Key obligations: Safeguard the privacy and security of PHI; provide patients with rights to access and amend their health records; notify individuals and the Department of Health and Human Services (HHS) of breaches within 60 days.

Enforcement authority: HHS Office for Civil Rights (OCR). Penalties range from $100 to $50,000 per violation category, with annual caps.

GLBA (Gramm-Leach-Bliley Act)

Covered entities: Financial institutions, including banks, insurance companies, securities firms, and non-bank lenders that collect nonpublic personal information from consumers.

Key obligations: Provide privacy notices explaining data sharing practices; give consumers the right to opt out of sharing with non-affiliated third parties; implement a written information security program.

Enforcement authority: Federal Trade Commission (FTC), federal banking regulators, and state insurance regulators, depending on the institution type.

FCRA (Fair Credit Reporting Act)

Covered entities: Consumer reporting agencies, creditors, employers, landlords, and any business that uses consumer reports for credit, employment, housing, or insurance decisions.

Key obligations: Ensure accuracy of consumer report data; provide adverse action notices when consumer report data is used to deny credit or employment; honor consumer disputes and correction requests.

Enforcement authority: FTC and Consumer Financial Protection Bureau (CFPB). State attorneys general may also bring enforcement actions.

COPPA (Children's Online Privacy Protection Act)

Covered entities: Operators of websites and online services directed at children under 13, or any operator with actual knowledge that it is collecting personal information from children under 13.

Key obligations: Obtain verifiable parental consent before collecting personal information from children; provide clear privacy notices; allow parents to review and delete their child's data.

Enforcement authority: FTC. Civil penalties up to $51,744 per violation.

CAN-SPAM Act

Covered entities: Any person or business that sends commercial email messages.

Key obligations: Include a clear opt-out mechanism in every commercial email; honor opt-out requests within 10 business days; include a valid physical postal address; avoid deceptive subject lines and headers.

Enforcement authority: FTC and state attorneys general. Penalties up to $51,744 per email in violation.

FTC Health Breach Notification Rule

Covered entities: Vendors of personal health records and related entities that are not covered by HIPAA, including health apps, fitness trackers, and connected devices that collect health-related data.

Key obligations: Notify affected individuals, the FTC, and in some cases the media following a breach of unsecured personally identifiable health information. This rule is frequently overlooked by technology companies that handle health data outside the HIPAA framework.

Enforcement authority: FTC. This rule was expanded in 2024 to cover a broader range of health apps and connected devices, making it a significant compliance consideration for any B2B SaaS company operating in the health and wellness space.


US state data privacy laws: a current tracker

The compliance landscape continues to evolve rapidly. As of 2026, 22 US states have enacted comprehensive data privacy laws, up from near-zero in 2018, a shift that represents one of the most significant expansions of consumer data rights in US history, according to White & Case. Consumer data laws in the US now cover the majority of the US population.

The 22 states with enacted comprehensive data privacy laws are: California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Texas, Florida, Maryland, Minnesota, Montana, Oregon, Delaware, New Hampshire, New Jersey, Kentucky, Nebraska, Rhode Island, Alabama (effective May 1, 2027), and Oklahoma (effective January 1, 2027).

Data privacy laws by state vary significantly in their applicability thresholds, consumer rights scope, and enforcement mechanisms. The table below provides a current reference across all 22 states.

State

Law Name

Effective Date

Enforcement Start

Revenue/Data Threshold

Key Consumer Rights

California

CCPA/CPRA

Jan 1, 2020 / Jan 1, 2023

Mar 29, 2024 (CPPA)

$25M revenue; OR 100K+ consumers; OR 50%+ revenue from data sales

Access, deletion, correction, portability, opt-out of sale/sharing, limit sensitive data use

Virginia

CDPA

Jan 1, 2023

Jan 1, 2023

100K+ consumers; OR 25K+ consumers + 50%+ revenue from data sales

Access, correction, deletion, portability, opt-out of sale, targeted advertising, profiling

Colorado

CPA

Jul 1, 2023

Jul 1, 2023

100K+ consumers; OR 25K+ consumers + revenue from data sales

Access, correction, deletion, portability, opt-out of sale, targeted advertising, profiling

Connecticut

CTDPA

Jul 1, 2023

Jul 1, 2023

100K+ consumers; OR 25K+ consumers + 25%+ revenue from data sales

Access, correction, deletion, portability, opt-out of sale, targeted advertising, profiling

Utah

UCPA

Dec 31, 2023

Dec 31, 2023

$25M revenue; AND 100K+ consumers; OR 25K+ consumers + 50%+ revenue from data sales

Access, deletion, portability, opt-out of sale, targeted advertising

Iowa

ICDPA

Jan 1, 2025

Jan 1, 2025

100K+ consumers; OR 25K+ consumers + 50%+ revenue from data sales

Access, deletion, portability, opt-out of sale, targeted advertising

Indiana

INCDPA

Jan 1, 2026

Jan 1, 2026

100K+ consumers; OR 25K+ consumers + 50%+ revenue from data sales

Access, correction, deletion, portability, opt-out of sale, targeted advertising, profiling

Tennessee

TIPA

Jul 1, 2025

Jul 1, 2025

$25M revenue; AND 175K+ consumers; OR 25K+ consumers + 50%+ revenue from data sales

Access, correction, deletion, portability, opt-out of sale, targeted advertising, profiling

Texas

TDPSA

Jul 1, 2024

Jul 1, 2024

Conducts business in Texas; excludes small businesses

Access, correction, deletion, portability, opt-out of sale, targeted advertising, profiling

Florida

FDBR

Jul 1, 2024

Jul 1, 2024

$1B+ revenue; AND specific data processing thresholds

Access, correction, deletion, portability, opt-out of sale, targeted advertising, profiling

Maryland

MODPA

Oct 1, 2025

Oct 1, 2025

35K+ consumers; OR 10K+ consumers + 20%+ revenue from data sales

Access, correction, deletion, portability, opt-out of sale, targeted advertising, profiling

Minnesota

MCDPA

Jul 31, 2025

Jul 31, 2025

100K+ consumers; OR 25K+ consumers + 25%+ revenue from data sales

Access, correction, deletion, portability, opt-out of sale, targeted advertising, profiling

Montana

MCDPA

Oct 1, 2024

Oct 1, 2024

50K+ consumers; OR 25K+ consumers + 25%+ revenue from data sales

Access, correction, deletion, portability, opt-out of sale, targeted advertising

Oregon

OCPA

Jul 1, 2024

Jul 1, 2024

100K+ consumers; OR 25K+ consumers + 25%+ revenue from data sales

Access, correction, deletion, portability, opt-out of sale, targeted advertising, profiling

Delaware

DPDPA

Jan 1, 2025

Jan 1, 2025

35K+ consumers; OR 10K+ consumers + 20%+ revenue from data sales

Access, correction, deletion, portability, opt-out of sale, targeted advertising, profiling

New Hampshire

NHPA

Jan 1, 2025

Jan 1, 2025

35K+ consumers; OR 10K+ consumers + 25%+ revenue from data sales

Access, correction, deletion, portability, opt-out of sale, targeted advertising, profiling

New Jersey

NJDPA

Jan 15, 2025

Jan 15, 2025

100K+ consumers; OR 25K+ consumers + revenue from data sales

Access, correction, deletion, portability, opt-out of sale, targeted advertising, profiling

Kentucky

KCDPA

Jan 1, 2026

Jan 1, 2026

100K+ consumers; OR 25K+ consumers + 50%+ revenue from data sales

Access, correction, deletion, portability, opt-out of sale, targeted advertising

Nebraska

NDPA

Jan 1, 2025

Jan 1, 2025

Conducts business in Nebraska; no specific threshold

Access, correction, deletion, portability, opt-out of sale, targeted advertising, profiling

Rhode Island

RICDPA

Jan 1, 2026

Jan 1, 2026

35K+ consumers; OR 10K+ consumers + 20%+ revenue from data sales

Access, correction, deletion, portability, opt-out of sale, targeted advertising, profiling

Alabama

ADPA

May 1, 2027

May 1, 2027

35K+ consumers; OR 10K+ consumers + 25%+ revenue from data sales

Access, correction, deletion, portability, opt-out of sale, targeted advertising, profiling

Oklahoma

OCPA

Jan 1, 2027

Jan 1, 2027

100K+ consumers; OR 25K+ consumers + 50%+ revenue from data sales

Access, correction, deletion, portability, opt-out of sale, targeted advertising

California

California Consumer Privacy Act (CCPA)

Specifics: The CCPA allows California residents to request that businesses disclose which types of personal data they're collecting, along with the source and business reason for collecting that information. It gives consumers the right to request that a business delete previously collected personal information and to opt out of a business's sale of their personal information. Businesses are prohibited from discriminating against consumers who exercise their CCPA rights.

Scope: Applies to for-profit businesses that do business in California, collect California residents' personal information, and meet any of the following criteria:

  • Have gross annual revenue of more than $25 million

  • Buy, sell, or share personal information of 50,000 or more consumers, households, or devices

  • Derive 50% or more of revenue from selling or sharing consumers' personal information

Effective Date: January 1, 2020

California Consumer Privacy Rights Act (CPRA)

Specifics: The CPRA amended and expanded the CCPA. Under the CPRA, consumers can:

  • Stop businesses from sharing their personal information

  • Correct inaccurate personal information

  • Limit businesses' use of sensitive personal data

The amount of time businesses can store personal information is limited, and some penalties are increased. The CPRA established the California Privacy Protection Agency to enforce and monitor compliance.

In September 2025, the CPPA approved additional regulations covering cybersecurity audits and risk assessments, meaning CCPA/CPRA compliance is an ongoing operational obligation, not a one-time implementation.

Scope: Applies to for-profit businesses that operate in California, collect California residents' personal information, and meet one or more of the following thresholds:

  • Gross annual revenue of more than $25 million

  • Buy, sell, or share personal information of 100,000 or more consumers or households

  • Derive 50% or more of revenue from selling or sharing consumers' personal information

Effective Date: January 1, 2023. Enforcement by the CPPA commenced March 29, 2024.

Important distinction for B2B teams: California's CPRA, effective January 1, 2023, removed the temporary B2B and HR data exemptions that existed under the original CCPA, meaning CCPA/CPRA now applies to personal information collected in employment and business-to-business contexts. According to DLA Piper, California alone has enacted more than 25 separate state privacy and data security laws, and it is unique among state comprehensive privacy laws in applying to HR and B2B data, not just consumer-facing data. Most other state laws exclude from their scope consumers acting in a commercial or employment context.

Read More: CCPA: What the California Privacy Regulation Means for Your Business

Colorado

Colorado Privacy Act (CPA)

Specifics: The Colorado Privacy Act gives Colorado residents the right to know which businesses are collecting their personal data and to opt out of targeted advertising and the sale of their data. It also gives consumers the ability to access, correct, and delete their personal information.

Scope: Businesses and individuals that conduct business in Colorado or produce or deliver products or services targeting Colorado residents, and:

  • Control or process the personal information of 100,000 or more consumers a year, or

  • Make money from or receive a discount on the price of goods or services from the sale of personal data, and process or control the personal data of 25,000 or more consumers

Effective Date: July 1, 2023

Connecticut

Connecticut Data Privacy Act (CTDPA)

Specifics: The Connecticut Data Privacy Act gives Connecticut residents the right to know when their data is collected by businesses, the right to opt out of data collection, and the right to correct and delete data that's been collected. The act also states that businesses must limit data collection to only what is relevant for business purposes, must be transparent about which type of data is collected and how they use it, and must protect consumer data.

Scope: For-profit businesses and individuals that conduct business in Connecticut, have products or services targeting its residents, and during the preceding calendar year:

  • Controlled or processed the personal information of 100,000 or more consumers, excluding data solely used for processing transactions, or

  • Made 25% of their gross revenue from the sale of personal data and processed or controlled the personal data of 25,000 or more consumers

Effective Date: July 1, 2023

Utah

Utah Consumer Privacy Act (UCPA)

Specifics: The Utah Consumer Privacy Act gives Utah's residents the right to know what types of personal data a business is collecting and whether the business sells their personal data. It also allows consumers to opt out and delete collected data. The UCPA requires that businesses implement data security practices, do not discriminate against consumers that opt out of data sharing, and provide consumers with a clear privacy notice that states how personal data is used and that they can opt out or delete data.

Scope: For-profit businesses and individuals that conduct business in Utah, produce a product or service targeting Utah residents, have annual revenue of $25 million or more, and:

  • Control or process the personal information of 100,000 or more consumers a year, or

  • Make over 50% of the company's gross revenue from the sale of personal data and process or control the personal data of 25,000 or more consumers

Effective Date: December 31, 2023

Virginia

Consumer Data Protection Act (CDPA)

Specifics: This law gives Virginia residents the right to access, correct, delete, and obtain a copy of their personal data. It also gives consumers the right to opt out of data collection, and requires businesses to be transparent about their data collection practices, limit the use and collection to reasonably necessary data, and protect that data.

Scope: For-profit businesses and individuals that conduct business in Virginia or have a product or service targeting Virginia residents, and:

  • Control or process the personal information of 100,000 or more consumers a year, or

  • Make over 50% of the company's gross revenue from the sale of personal data and process or control the personal data of 25,000 or more consumers

Effective Date: January 1, 2023


Consumer rights your business must honor across state laws

The state tracker above shows which laws apply to your business and when they took effect. This matrix goes a level deeper, mapping the specific consumer rights each law requires so you can identify where your compliance program needs to extend beyond a single-state baseline.

State privacy laws share a common vocabulary of consumer rights, but the specific rights required, and the scope of each, vary materially. The matrix below maps the eight core consumer rights across the major state laws currently in effect.

State

Right to Access

Right to Correction

Right to Deletion

Right to Portability

Opt-Out of Sale/Sharing

Opt-Out of Targeted Advertising

Opt-Out of Profiling

Right to Non-Discrimination

California (CCPA/CPRA)

Yes

Yes

Yes

Yes

Yes

Yes

Yes (decisions with legal/significant effects)

Yes

Virginia (CDPA)

Yes

Yes

Yes

Yes

Yes

Yes

Yes (decisions with legal/significant effects)

Yes

Colorado (CPA)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Connecticut (CTDPA)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Utah (UCPA)

Yes

No

Yes

Yes

Yes

Yes

No

Yes

Iowa (ICDPA)

Yes

No

Yes

Yes

Yes

Yes

No

Yes

Texas (TDPSA)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Florida (FDBR)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Montana (MCDPA)

Yes

Yes

Yes

Yes

Yes

Yes

No

Yes

Oregon (OCPA)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

New Jersey (NJDPA)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Nebraska (NDPA)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Other states (IN, TN, MD, MN, DE, NH, KY, RI, AL, OK)

Yes

Yes (most)

Yes

Yes

Yes

Yes

Yes (most)

Yes

A few distinctions are worth noting for compliance program design. California's CCPA/CPRA provides an opt-out of both "sale" and "sharing" of personal information, which covers cross-context behavioral advertising even when no money changes hands. Virginia, Colorado, and Connecticut focus on opt-out of "targeted advertising" as a distinct right. Utah and Iowa do not require a right to correction or opt-out of profiling, making them less restrictive on those dimensions.

The most operationally efficient strategy for businesses operating across multiple states is a highest-common-denominator approach: build your privacy program to satisfy California's CCPA/CPRA requirements. California's framework is the most comprehensive among US state laws, and a program designed to meet its obligations will meet or exceed the requirements of every other state law currently in effect. This approach also reduces the compliance maintenance burden as new states continue to enact laws, you are not rebuilding your program for each new jurisdiction.

For teams managing sensitive personal data categories (health information, precise geolocation, racial or ethnic origin, financial data, biometric data), additional obligations apply under most state frameworks, with California and Oregon imposing the most stringent requirements.


How US privacy law compares to GDPR

Multinational companies and legal teams advising global clients need to understand how US data protection laws vs GDPR differ in structure, scope, and enforcement. The frameworks share common goals, giving individuals more control over their personal data, but they differ fundamentally in their legal architecture.

Dimension

GDPR (EU)

CCPA/CPRA (California, as US reference)

Legal basis for processing

Requires a lawful basis (consent, legitimate interest, contract, legal obligation, vital interests, public task)

No lawful basis requirement; data collection is generally permitted unless the consumer opts out

Consent model

Opt-in: affirmative consent required for most processing activities

Opt-out: data collection is permitted by default; consumers must actively exercise their rights

Data subject rights scope

Access, rectification, erasure, portability, restriction of processing, objection, rights related to automated decision-making

Access, correction, deletion, portability, opt-out of sale/sharing, limit use of sensitive data, opt-out of profiling

Enforcement authority

National data protection authorities (DPAs) in each EU member state; coordinated by European Data Protection Board (EDPB)

California Privacy Protection Agency (CPPA) for CPRA; California AG for CCPA civil enforcement

Penalty structure

Up to 4% of global annual revenue or €20M, whichever is higher

$2,500 per unintentional violation; $7,500 per intentional violation; private right of action for data breaches

Territorial scope

Applies to any organization processing EU residents' data, regardless of where the organization is located

Applies to for-profit businesses meeting California revenue or data volume thresholds, regardless of location

Breach notification timeline

72 hours to notify the supervisory authority; without undue delay to affected individuals

72 hours to notify the CPPA (under CPRA regulations); reasonable time to notify affected individuals

Data Protection Officer (DPO) requirement

Required for certain categories of organizations (public authorities, large-scale systematic monitoring, large-scale sensitive data processing)

No equivalent requirement under CCPA/CPRA

The key structural difference is the consent model. GDPR requires organizations to identify a lawful basis before processing personal data, consent is one option, but not the only one. CCPA/CPRA operates on an opt-out model where data collection is generally permitted unless the consumer exercises their rights. This means a GDPR-compliant program cannot be assumed to satisfy CCPA/CPRA, and vice versa.

GDPR compliance does not automatically satisfy US state law requirements. Businesses operating in both the EU and California need parallel compliance programs. The consent mechanisms, privacy notices, data subject request workflows, and breach notification procedures required under each framework are different enough that a single unified program will typically need jurisdiction-specific components (our GDPR compliance guide covers the full EU framework in detail). The breach notification timelines in the table above are a useful starting point for understanding where those jurisdiction-specific procedures diverge most sharply.


Breach notification requirements: what to do when data is exposed

When personal data is exposed, the clock starts immediately. Federal and state breach notification laws impose specific timelines and procedures that businesses must follow, and the obligations vary depending on the type of data involved and the jurisdictions where affected individuals reside.

Federal breach notification requirements

HIPAA requires covered entities to notify affected individuals and HHS within 60 days of discovering a breach involving PHI. For breaches affecting 500 or more individuals in a single state, media notification is also required. Business associates must notify the covered entity within 60 days of discovery.

GLBA requires financial institutions to notify their primary federal regulator as soon as possible, and no later than 30 days after discovery, of a breach involving customer financial information. Customer notification is required when the breach is reasonably likely to result in substantial harm.

The FTC Health Breach Notification Rule requires vendors of personal health records and related entities to notify affected individuals, the FTC, and in some cases the media following a breach. This rule applies to health apps and connected devices outside the HIPAA framework, a frequently overlooked obligation for technology companies handling health-related data.

State breach notification law variations

All 50 US states have enacted some form of breach notification law. The variations across states include:

  • Notification timing requirements ranging from 30 to 90 days after discovery

  • Different definitions of what constitutes "personal information" triggering notification

  • Different notification recipients (affected individuals, state attorney general, credit bureaus, or some combination)

  • Different thresholds for when notification is required (some states require notification regardless of harm risk; others apply a harm threshold)

California requires notification to affected residents "in the most expedient time possible and without unreasonable delay." Several states, including New York and Colorado, impose specific 30-day or 45-day deadlines.

72-hour response checklist

When you discover a potential data breach, the first 72 hours are critical:

  • Contain: Isolate affected systems, revoke compromised credentials, and prevent further unauthorized access

  • Assess: Determine what data was exposed, how many individuals are affected, and which jurisdictions apply

  • Notify legal: Engage your legal team and privacy counsel immediately to assess notification obligations

  • Document: Create a contemporaneous record of discovery, assessment steps, and decisions made, this documentation is essential for regulatory inquiries

Building a structured response plan before an incident occurs is the most effective way to meet notification deadlines. For a framework to build that plan, see our compliance strategy guide.


How to build a compliance-ready data infrastructure

Legal compliance is a design constraint, not an afterthought. For RevOps and GTM Engineering teams, the question after reading a state law tracker is not "do we need to comply?" but "how do we operationalize compliance in our data infrastructure without creating new maintenance debt?" Here is a practical framework.

1. Audit your data inventory

Before you can manage compliance obligations, you need to know what personal data you collect, where it lives, who has access to it, and how long you retain it. This includes data in your CRM, marketing automation platform, enrichment pipelines, web forms, and any third-party integrations. Most organizations discover during this audit that personal data is scattered across more systems than they expected, and that retention practices are inconsistent.

2. Map your compliance obligations

Use the state tracker and federal law guide above to identify which laws apply to your business based on your revenue, data volumes, and the geographies where you collect data. Pay particular attention to California's CCPA/CPRA if you collect any data from California residents in employment or B2B contexts, the removal of the B2B and HR exemptions under CPRA means most enterprise businesses with California employees or business contacts are covered.

3. Implement consent and opt-out mechanisms

Ensure your web forms, CRM intake workflows, and enrichment pipelines honor opt-out signals. This means building opt-out status as a field that persists through enrichment updates, not just a flag on the original lead record. If a contact opts out and your enrichment pipeline overwrites that flag during a batch update, you have a compliance gap.

4. Establish continuous enrichment governance

Batch data appends create point-in-time snapshots that decay immediately. Data accuracy obligations under CCPA/CPRA require that personal information be kept accurate and up to date, which means continuous enrichment pipelines, not annual batch refreshes, are the operational standard for compliance.

ZoomInfo processes 1.5B+ data points daily across 500M contacts, 100M companies, 135M+ verified phone numbers, and 200M+ verified business emails, with verification by 300+ human researchers and up to 95% accuracy on first-party data. That data foundation is what makes compliant continuous enrichment operationally viable. GTM Studio, ZoomInfo's codeless enrichment interface for RevOps and GTM Engineers, provides waterfall enrichment from 25+ sources at no additional cost, eliminating the engineering ticket dependencies that create enrichment lag and compliance gaps. Within GTM Studio, the GTM Context Graph acts as the intelligence layer that reasons across your privacy-compliant first-party and third-party signals, connecting CRM data, behavioral signals, and verified B2B data into a unified view that supports accurate scoring, routing, and forecasting without requiring manual data stitching across systems.

5. Document your data processing activities

Maintain a record of processing activities (ROPA) that documents what personal data you collect, the legal basis or business purpose for processing it, how long you retain it, and who has access. This documentation is required under GDPR and is increasingly expected by state regulators conducting audits. California's September 2025 cybersecurity audit regulations make this documentation directly relevant for CPPA compliance as well. ZoomInfo's compliance-governed access model, which routes data to RevOps teams through GTM Studio, to sellers through GTM Workspace, and to developers through APIs and MCP, ensures that the access lanes feeding your ROPA are auditable by design rather than reconstructed after the fact.

The five steps above define the operational standard. The next section explains how ZoomInfo's platform is built to support each one.


How ZoomInfo approaches data privacy and compliance

ZoomInfo is an all-in-one AI GTM Platform built on a foundation of verified B2B data, an intelligence layer that reasons across your GTM signals, and governed access controls, all designed to operate within the strictest privacy frameworks.

ZoomInfo holds ISO 27001, ISO 27701, SOC 2 Type II, and TRUSTe GDPR/CCPA certifications. ISO 27001 covers the information security management systems that protect the data ZoomInfo processes. ISO 27701 extends that framework specifically to privacy information management, governing how personal data is collected, used, and retained. SOC 2 Type II provides independent attestation that ZoomInfo's security, availability, and confidentiality controls operate effectively over time. TRUSTe GDPR/CCPA certification validates that ZoomInfo's privacy practices meet the requirements of both frameworks as assessed by an independent third party.

For RevOps and GTM Engineering teams, GTM Studio is the practical answer to the compliance-ready enrichment challenge. GTM Studio's codeless interface lets RevOps teams configure enrichment workflows, waterfall logic across 25+ data sources, and data governance rules without engineering dependencies. That means your opt-out flags, retention policies, and data accuracy obligations can be enforced at the enrichment layer, not patched in after the fact.

The platform's verified data foundation, continuous enrichment architecture, and auditable access controls are designed to support the compliance posture this article describes: a data infrastructure that knows what it holds, honors consumer rights in real time, and documents its processing activities for audit readiness.

To see how ZoomInfo's platform supports your compliance and data governance requirements, request a demo.


Frequently asked questions about US consumer data privacy laws

Which US states have comprehensive data privacy laws?

As of 2026, 22 states have enacted comprehensive data privacy laws. These include California (CCPA/CPRA), Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Texas, Florida, Maryland, Minnesota, Montana, Oregon, Delaware, New Hampshire, New Jersey, Kentucky, Nebraska, Rhode Island, Alabama (effective May 1, 2027), and Oklahoma (effective January 1, 2027). Each law has different applicability thresholds based on revenue, data volumes, and percentage of revenue from data sales. Businesses operating across multiple states should build their privacy program to satisfy the strictest applicable requirements, use our state privacy law tracker for the current full list.

What is the difference between CCPA and GDPR?

GDPR (EU) uses an opt-in consent model requiring a lawful basis for processing personal data, while CCPA (California) uses an opt-out model where data collection is permitted unless the consumer objects. GDPR applies to any organization processing EU residents' data regardless of location; CCPA applies to for-profit businesses meeting specific California revenue or data volume thresholds. GDPR penalties can reach 4% of global annual revenue; CCPA civil penalties are $2,500 per unintentional violation and $7,500 per intentional violation. Multinational companies need parallel compliance programs for both frameworks, our GDPR compliance guide covers the EU obligations in detail.

Is CCPA still in effect?

Yes. The original CCPA took effect January 1, 2020. The California Privacy Rights Act (CPRA) amended and expanded the CCPA, with its provisions effective January 1, 2023, and enforcement by the California Privacy Protection Agency commencing March 29, 2024. In September 2025, the CPPA approved additional regulations covering cybersecurity audits and risk assessments, meaning CCPA/CPRA compliance is an ongoing operational obligation, not a one-time implementation.

Does US data privacy law apply to B2B data?

California's CCPA/CPRA is unique among US state privacy laws in applying to personal information collected in both consumer and business-to-business contexts, including HR data. The CPRA removed the temporary B2B and HR data exemptions that existed under the original CCPA, effective January 1, 2023. Most other state comprehensive privacy laws, Virginia, Colorado, Connecticut, Utah, and others, exclude from their scope consumers acting in a commercial or employment context, meaning B2B data is generally exempt outside California. See our guide on sensitive personal data for more on the data categories that trigger heightened obligations under CCPA/CPRA.

What should businesses do to prepare for multiple state privacy law compliance?

Start with a data inventory: know what personal data you collect, where it lives, and who has access. Map your compliance obligations using the applicability thresholds for each state law (revenue, data volume, percentage of revenue from data sales). Implement consent and opt-out mechanisms in your web forms, CRM intake, and enrichment workflows. Adopt a highest-common-denominator approach, build your privacy program to satisfy California's CCPA/CPRA requirements and you will meet or exceed most other state law obligations. Document your data processing activities for audit readiness, particularly given California's new cybersecurity audit regulations effective 2025. For a structured framework, see our foolproof compliance strategy guide.