Understanding the US privacy compliance landscape
One enforcement action, one data breach, one class-action lawsuit, any of these can create serious organizational risk for businesses that have not built a rigorous compliance posture. The patchwork of US consumer data privacy laws has grown significantly over the past several years, and the compliance and reputational costs of getting it wrong can be severe.
Understanding the state of consumer data privacy laws in the US requires grappling with a three-tier structure: federal sector-specific laws, state comprehensive privacy laws, and state sector-specific laws. No single federal omnibus law governs all of it, which means your compliance obligations depend heavily on where you operate, what data you collect, and which industries you serve.
The General Data Protection Regulation (GDPR) and the ePrivacy Directive are the most prominent international frameworks, and they have shaped how US regulators and legislators think about privacy rights. For a detailed breakdown of GDPR obligations, see our GDPR compliance guide.
At ZoomInfo, an all-in-one AI GTM Platform, we hold ISO 27001, ISO 27701, SOC 2 Type II, and TRUSTe GDPR/CCPA certifications, and we want to help you build an equally rigorous compliance posture. This guide covers the federal laws that apply to your business today, the 22 state laws now in effect or pending, how US law compares to GDPR, and how to operationalize compliance in your data infrastructure.
Why the US still has no single federal privacy law
US consumer data privacy laws operate across three distinct tiers. At the federal level, sector-specific laws govern particular industries: healthcare, financial services, credit reporting, children's online services, and email marketing each have their own statutory frameworks. Below that, a growing number of states have enacted comprehensive privacy laws that apply broadly to businesses collecting personal data about their residents. And at the third tier, states layer additional sector-specific laws on top of both federal and state comprehensive frameworks.
This structure creates compliance complexity that a single federal omnibus law would theoretically resolve. The American Privacy Rights Act of 2024 (also referred to as the American data privacy and Protection Act, or APRA) was the most recent bipartisan attempt to pass such a law. It stalled due to political climate shifts, industry lobbying, and the growing complexity of privacy concerns, and according to DLA Piper, a comprehensive federal privacy law is not expected to pass in the near future.
The practical implication for compliance teams is straightforward: plan for the patchwork, not the promise of federal preemption. Waiting for Congress to pass a single framework that overrides state laws is not a viable compliance strategy. The states have moved faster than the federal government, and that gap is widening.
The three-tier structure also means that federal and state obligations can interact in ways that are not always intuitive. A federal law may set a floor that state law exceeds, or a state law may be partially preempted by a federal framework in a specific sector. Healthcare organizations, for example, must navigate HIPAA at the federal level and then layer on California's CCPA/CPRA, which applies to employee and business-contact data in ways that HIPAA does not address.
For RevOps and GTM Engineering teams, the practical consequence is that your data infrastructure must be built to accommodate multiple overlapping obligations simultaneously. A contact database that is HIPAA-compliant is not automatically CCPA-compliant. An enrichment pipeline that satisfies Virginia's Consumer Data Protection Act may not satisfy California's CPRA. The architecture must be designed with jurisdictional flexibility from the start.
Federal privacy laws that apply to your business today
Federal data privacy laws in the US are sector-specific rather than comprehensive. Understanding which federal laws apply to your business is the baseline before layering on state obligations. These US consumer data protection laws may be preempted in part by state laws or may impose additional obligations on top of state floors, meaning federal compliance does not substitute for state compliance. Consumer data laws in the US operate at both levels simultaneously.
HIPAA (Health Insurance Portability and Accountability Act)
Covered entities: Healthcare providers, health plans, healthcare clearinghouses, and their business associates that handle protected health information (PHI).
Key obligations: Safeguard the privacy and security of PHI; provide patients with rights to access and amend their health records; notify individuals and the Department of Health and Human Services (HHS) of breaches within 60 days.
Enforcement authority: HHS Office for Civil Rights (OCR). Penalties range from $100 to $50,000 per violation category, with annual caps.
GLBA (Gramm-Leach-Bliley Act)
Covered entities: Financial institutions, including banks, insurance companies, securities firms, and non-bank lenders that collect nonpublic personal information from consumers.
Key obligations: Provide privacy notices explaining data sharing practices; give consumers the right to opt out of sharing with non-affiliated third parties; implement a written information security program.
Enforcement authority: Federal Trade Commission (FTC), federal banking regulators, and state insurance regulators, depending on the institution type.
FCRA (Fair Credit Reporting Act)
Covered entities: Consumer reporting agencies, creditors, employers, landlords, and any business that uses consumer reports for credit, employment, housing, or insurance decisions.
Key obligations: Ensure accuracy of consumer report data; provide adverse action notices when consumer report data is used to deny credit or employment; honor consumer disputes and correction requests.
Enforcement authority: FTC and Consumer Financial Protection Bureau (CFPB). State attorneys general may also bring enforcement actions.
COPPA (Children's Online Privacy Protection Act)
Covered entities: Operators of websites and online services directed at children under 13, or any operator with actual knowledge that it is collecting personal information from children under 13.
Key obligations: Obtain verifiable parental consent before collecting personal information from children; provide clear privacy notices; allow parents to review and delete their child's data.
Enforcement authority: FTC. Civil penalties up to $51,744 per violation.
CAN-SPAM Act
Covered entities: Any person or business that sends commercial email messages.
Key obligations: Include a clear opt-out mechanism in every commercial email; honor opt-out requests within 10 business days; include a valid physical postal address; avoid deceptive subject lines and headers.
Enforcement authority: FTC and state attorneys general. Penalties up to $51,744 per email in violation.
FTC Health Breach Notification Rule
Covered entities: Vendors of personal health records and related entities that are not covered by HIPAA, including health apps, fitness trackers, and connected devices that collect health-related data.
Key obligations: Notify affected individuals, the FTC, and in some cases the media following a breach of unsecured personally identifiable health information. This rule is frequently overlooked by technology companies that handle health data outside the HIPAA framework.
Enforcement authority: FTC. This rule was expanded in 2024 to cover a broader range of health apps and connected devices, making it a significant compliance consideration for any B2B SaaS company operating in the health and wellness space.
US state data privacy laws: a current tracker
The compliance landscape continues to evolve rapidly. As of 2026, 22 US states have enacted comprehensive data privacy laws, up from near-zero in 2018, a shift that represents one of the most significant expansions of consumer data rights in US history, according to White & Case. Consumer data laws in the US now cover the majority of the US population.
The 22 states with enacted comprehensive data privacy laws are: California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Texas, Florida, Maryland, Minnesota, Montana, Oregon, Delaware, New Hampshire, New Jersey, Kentucky, Nebraska, Rhode Island, Alabama (effective May 1, 2027), and Oklahoma (effective January 1, 2027).
Data privacy laws by state vary significantly in their applicability thresholds, consumer rights scope, and enforcement mechanisms. The table below provides a current reference across all 22 states.
State | Law Name | Effective Date | Enforcement Start | Revenue/Data Threshold | Key Consumer Rights |
|---|---|---|---|---|---|
California | CCPA/CPRA | Jan 1, 2020 / Jan 1, 2023 | Mar 29, 2024 (CPPA) | $25M revenue; OR 100K+ consumers; OR 50%+ revenue from data sales | Access, deletion, correction, portability, opt-out of sale/sharing, limit sensitive data use |
Virginia | CDPA | Jan 1, 2023 | Jan 1, 2023 | 100K+ consumers; OR 25K+ consumers + 50%+ revenue from data sales | Access, correction, deletion, portability, opt-out of sale, targeted advertising, profiling |
Colorado | CPA | Jul 1, 2023 | Jul 1, 2023 | 100K+ consumers; OR 25K+ consumers + revenue from data sales | Access, correction, deletion, portability, opt-out of sale, targeted advertising, profiling |
Connecticut | CTDPA | Jul 1, 2023 | Jul 1, 2023 | 100K+ consumers; OR 25K+ consumers + 25%+ revenue from data sales | Access, correction, deletion, portability, opt-out of sale, targeted advertising, profiling |
Utah | UCPA | Dec 31, 2023 | Dec 31, 2023 | $25M revenue; AND 100K+ consumers; OR 25K+ consumers + 50%+ revenue from data sales | Access, deletion, portability, opt-out of sale, targeted advertising |
Iowa | ICDPA | Jan 1, 2025 | Jan 1, 2025 | 100K+ consumers; OR 25K+ consumers + 50%+ revenue from data sales | Access, deletion, portability, opt-out of sale, targeted advertising |
Indiana | INCDPA | Jan 1, 2026 | Jan 1, 2026 | 100K+ consumers; OR 25K+ consumers + 50%+ revenue from data sales | Access, correction, deletion, portability, opt-out of sale, targeted advertising, profiling |
Tennessee | TIPA | Jul 1, 2025 | Jul 1, 2025 | $25M revenue; AND 175K+ consumers; OR 25K+ consumers + 50%+ revenue from data sales | Access, correction, deletion, portability, opt-out of sale, targeted advertising, profiling |
Texas | TDPSA | Jul 1, 2024 | Jul 1, 2024 | Conducts business in Texas; excludes small businesses | Access, correction, deletion, portability, opt-out of sale, targeted advertising, profiling |
Florida | FDBR | Jul 1, 2024 | Jul 1, 2024 | $1B+ revenue; AND specific data processing thresholds | Access, correction, deletion, portability, opt-out of sale, targeted advertising, profiling |
Maryland | MODPA | Oct 1, 2025 | Oct 1, 2025 | 35K+ consumers; OR 10K+ consumers + 20%+ revenue from data sales | Access, correction, deletion, portability, opt-out of sale, targeted advertising, profiling |
Minnesota | MCDPA | Jul 31, 2025 | Jul 31, 2025 | 100K+ consumers; OR 25K+ consumers + 25%+ revenue from data sales | Access, correction, deletion, portability, opt-out of sale, targeted advertising, profiling |
Montana | MCDPA | Oct 1, 2024 | Oct 1, 2024 | 50K+ consumers; OR 25K+ consumers + 25%+ revenue from data sales | Access, correction, deletion, portability, opt-out of sale, targeted advertising |
Oregon | OCPA | Jul 1, 2024 | Jul 1, 2024 | 100K+ consumers; OR 25K+ consumers + 25%+ revenue from data sales | Access, correction, deletion, portability, opt-out of sale, targeted advertising, profiling |
Delaware | DPDPA | Jan 1, 2025 | Jan 1, 2025 | 35K+ consumers; OR 10K+ consumers + 20%+ revenue from data sales | Access, correction, deletion, portability, opt-out of sale, targeted advertising, profiling |
New Hampshire | NHPA | Jan 1, 2025 | Jan 1, 2025 | 35K+ consumers; OR 10K+ consumers + 25%+ revenue from data sales | Access, correction, deletion, portability, opt-out of sale, targeted advertising, profiling |
New Jersey | NJDPA | Jan 15, 2025 | Jan 15, 2025 | 100K+ consumers; OR 25K+ consumers + revenue from data sales | Access, correction, deletion, portability, opt-out of sale, targeted advertising, profiling |
Kentucky | KCDPA | Jan 1, 2026 | Jan 1, 2026 | 100K+ consumers; OR 25K+ consumers + 50%+ revenue from data sales | Access, correction, deletion, portability, opt-out of sale, targeted advertising |
Nebraska | NDPA | Jan 1, 2025 | Jan 1, 2025 | Conducts business in Nebraska; no specific threshold | Access, correction, deletion, portability, opt-out of sale, targeted advertising, profiling |
Rhode Island | RICDPA | Jan 1, 2026 | Jan 1, 2026 | 35K+ consumers; OR 10K+ consumers + 20%+ revenue from data sales | Access, correction, deletion, portability, opt-out of sale, targeted advertising, profiling |
Alabama | ADPA | May 1, 2027 | May 1, 2027 | 35K+ consumers; OR 10K+ consumers + 25%+ revenue from data sales | Access, correction, deletion, portability, opt-out of sale, targeted advertising, profiling |
Oklahoma | OCPA | Jan 1, 2027 | Jan 1, 2027 | 100K+ consumers; OR 25K+ consumers + 50%+ revenue from data sales | Access, correction, deletion, portability, opt-out of sale, targeted advertising |
California
California Consumer Privacy Act (CCPA)
Specifics: The CCPA allows California residents to request that businesses disclose which types of personal data they're collecting, along with the source and business reason for collecting that information. It gives consumers the right to request that a business delete previously collected personal information and to opt out of a business's sale of their personal information. Businesses are prohibited from discriminating against consumers who exercise their CCPA rights.
Scope: Applies to for-profit businesses that do business in California, collect California residents' personal information, and meet any of the following criteria:
Have gross annual revenue of more than $25 million
Buy, sell, or share personal information of 50,000 or more consumers, households, or devices
Derive 50% or more of revenue from selling or sharing consumers' personal information
Effective Date: January 1, 2020
California Consumer Privacy Rights Act (CPRA)
Specifics: The CPRA amended and expanded the CCPA. Under the CPRA, consumers can:
Stop businesses from sharing their personal information
Correct inaccurate personal information
Limit businesses' use of sensitive personal data
The amount of time businesses can store personal information is limited, and some penalties are increased. The CPRA established the California Privacy Protection Agency to enforce and monitor compliance.
In September 2025, the CPPA approved additional regulations covering cybersecurity audits and risk assessments, meaning CCPA/CPRA compliance is an ongoing operational obligation, not a one-time implementation.
Scope: Applies to for-profit businesses that operate in California, collect California residents' personal information, and meet one or more of the following thresholds:
Gross annual revenue of more than $25 million
Buy, sell, or share personal information of 100,000 or more consumers or households
Derive 50% or more of revenue from selling or sharing consumers' personal information
Effective Date: January 1, 2023. Enforcement by the CPPA commenced March 29, 2024.
Important distinction for B2B teams: California's CPRA, effective January 1, 2023, removed the temporary B2B and HR data exemptions that existed under the original CCPA, meaning CCPA/CPRA now applies to personal information collected in employment and business-to-business contexts. According to DLA Piper, California alone has enacted more than 25 separate state privacy and data security laws, and it is unique among state comprehensive privacy laws in applying to HR and B2B data, not just consumer-facing data. Most other state laws exclude from their scope consumers acting in a commercial or employment context.
Read More: CCPA: What the California Privacy Regulation Means for Your Business
Colorado
Colorado Privacy Act (CPA)
Specifics: The Colorado Privacy Act gives Colorado residents the right to know which businesses are collecting their personal data and to opt out of targeted advertising and the sale of their data. It also gives consumers the ability to access, correct, and delete their personal information.
Scope: Businesses and individuals that conduct business in Colorado or produce or deliver products or services targeting Colorado residents, and:
Control or process the personal information of 100,000 or more consumers a year, or
Make money from or receive a discount on the price of goods or services from the sale of personal data, and process or control the personal data of 25,000 or more consumers
Effective Date: July 1, 2023
Connecticut
Connecticut Data Privacy Act (CTDPA)
Specifics: The Connecticut Data Privacy Act gives Connecticut residents the right to know when their data is collected by businesses, the right to opt out of data collection, and the right to correct and delete data that's been collected. The act also states that businesses must limit data collection to only what is relevant for business purposes, must be transparent about which type of data is collected and how they use it, and must protect consumer data.
Scope: For-profit businesses and individuals that conduct business in Connecticut, have products or services targeting its residents, and during the preceding calendar year:
Controlled or processed the personal information of 100,000 or more consumers, excluding data solely used for processing transactions, or
Made 25% of their gross revenue from the sale of personal data and processed or controlled the personal data of 25,000 or more consumers
Effective Date: July 1, 2023
Utah
Utah Consumer Privacy Act (UCPA)
Specifics: The Utah Consumer Privacy Act gives Utah's residents the right to know what types of personal data a business is collecting and whether the business sells their personal data. It also allows consumers to opt out and delete collected data. The UCPA requires that businesses implement data security practices, do not discriminate against consumers that opt out of data sharing, and provide consumers with a clear privacy notice that states how personal data is used and that they can opt out or delete data.
Scope: For-profit businesses and individuals that conduct business in Utah, produce a product or service targeting Utah residents, have annual revenue of $25 million or more, and:
Control or process the personal information of 100,000 or more consumers a year, or
Make over 50% of the company's gross revenue from the sale of personal data and process or control the personal data of 25,000 or more consumers
Effective Date: December 31, 2023
Virginia
Consumer Data Protection Act (CDPA)
Specifics: This law gives Virginia residents the right to access, correct, delete, and obtain a copy of their personal data. It also gives consumers the right to opt out of data collection, and requires businesses to be transparent about their data collection practices, limit the use and collection to reasonably necessary data, and protect that data.
Scope: For-profit businesses and individuals that conduct business in Virginia or have a product or service targeting Virginia residents, and:
Control or process the personal information of 100,000 or more consumers a year, or
Make over 50% of the company's gross revenue from the sale of personal data and process or control the personal data of 25,000 or more consumers
Effective Date: January 1, 2023
Consumer rights your business must honor across state laws
The state tracker above shows which laws apply to your business and when they took effect. This matrix goes a level deeper, mapping the specific consumer rights each law requires so you can identify where your compliance program needs to extend beyond a single-state baseline.
State privacy laws share a common vocabulary of consumer rights, but the specific rights required, and the scope of each, vary materially. The matrix below maps the eight core consumer rights across the major state laws currently in effect.
State | Right to Access | Right to Correction | Right to Deletion | Right to Portability | Opt-Out of Sale/Sharing | Opt-Out of Targeted Advertising | Opt-Out of Profiling | Right to Non-Discrimination |
|---|---|---|---|---|---|---|---|---|
California (CCPA/CPRA) | Yes | Yes | Yes | Yes | Yes | Yes | Yes (decisions with legal/significant effects) | Yes |
Virginia (CDPA) | Yes | Yes | Yes | Yes | Yes | Yes | Yes (decisions with legal/significant effects) | Yes |
Colorado (CPA) | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
Connecticut (CTDPA) | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
Utah (UCPA) | Yes | No | Yes | Yes | Yes | Yes | No | Yes |
Iowa (ICDPA) | Yes | No | Yes | Yes | Yes | Yes | No | Yes |
Texas (TDPSA) | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
Florida (FDBR) | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
Montana (MCDPA) | Yes | Yes | Yes | Yes | Yes | Yes | No | Yes |
Oregon (OCPA) | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
New Jersey (NJDPA) | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
Nebraska (NDPA) | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
Other states (IN, TN, MD, MN, DE, NH, KY, RI, AL, OK) | Yes | Yes (most) | Yes | Yes | Yes | Yes | Yes (most) | Yes |
A few distinctions are worth noting for compliance program design. California's CCPA/CPRA provides an opt-out of both "sale" and "sharing" of personal information, which covers cross-context behavioral advertising even when no money changes hands. Virginia, Colorado, and Connecticut focus on opt-out of "targeted advertising" as a distinct right. Utah and Iowa do not require a right to correction or opt-out of profiling, making them less restrictive on those dimensions.
The most operationally efficient strategy for businesses operating across multiple states is a highest-common-denominator approach: build your privacy program to satisfy California's CCPA/CPRA requirements. California's framework is the most comprehensive among US state laws, and a program designed to meet its obligations will meet or exceed the requirements of every other state law currently in effect. This approach also reduces the compliance maintenance burden as new states continue to enact laws, you are not rebuilding your program for each new jurisdiction.
For teams managing sensitive personal data categories (health information, precise geolocation, racial or ethnic origin, financial data, biometric data), additional obligations apply under most state frameworks, with California and Oregon imposing the most stringent requirements.
How US privacy law compares to GDPR
Multinational companies and legal teams advising global clients need to understand how US data protection laws vs GDPR differ in structure, scope, and enforcement. The frameworks share common goals, giving individuals more control over their personal data, but they differ fundamentally in their legal architecture.
Dimension | GDPR (EU) | CCPA/CPRA (California, as US reference) |
|---|---|---|
Legal basis for processing | Requires a lawful basis (consent, legitimate interest, contract, legal obligation, vital interests, public task) | No lawful basis requirement; data collection is generally permitted unless the consumer opts out |
Consent model | Opt-in: affirmative consent required for most processing activities | Opt-out: data collection is permitted by default; consumers must actively exercise their rights |
Data subject rights scope | Access, rectification, erasure, portability, restriction of processing, objection, rights related to automated decision-making | Access, correction, deletion, portability, opt-out of sale/sharing, limit use of sensitive data, opt-out of profiling |
Enforcement authority | National data protection authorities (DPAs) in each EU member state; coordinated by European Data Protection Board (EDPB) | California Privacy Protection Agency (CPPA) for CPRA; California AG for CCPA civil enforcement |
Penalty structure | Up to 4% of global annual revenue or €20M, whichever is higher | $2,500 per unintentional violation; $7,500 per intentional violation; private right of action for data breaches |
Territorial scope | Applies to any organization processing EU residents' data, regardless of where the organization is located | Applies to for-profit businesses meeting California revenue or data volume thresholds, regardless of location |
Breach notification timeline | 72 hours to notify the supervisory authority; without undue delay to affected individuals | 72 hours to notify the CPPA (under CPRA regulations); reasonable time to notify affected individuals |
Data Protection Officer (DPO) requirement | Required for certain categories of organizations (public authorities, large-scale systematic monitoring, large-scale sensitive data processing) | No equivalent requirement under CCPA/CPRA |
The key structural difference is the consent model. GDPR requires organizations to identify a lawful basis before processing personal data, consent is one option, but not the only one. CCPA/CPRA operates on an opt-out model where data collection is generally permitted unless the consumer exercises their rights. This means a GDPR-compliant program cannot be assumed to satisfy CCPA/CPRA, and vice versa.
GDPR compliance does not automatically satisfy US state law requirements. Businesses operating in both the EU and California need parallel compliance programs. The consent mechanisms, privacy notices, data subject request workflows, and breach notification procedures required under each framework are different enough that a single unified program will typically need jurisdiction-specific components (our GDPR compliance guide covers the full EU framework in detail). The breach notification timelines in the table above are a useful starting point for understanding where those jurisdiction-specific procedures diverge most sharply.
Breach notification requirements: what to do when data is exposed
When personal data is exposed, the clock starts immediately. Federal and state breach notification laws impose specific timelines and procedures that businesses must follow, and the obligations vary depending on the type of data involved and the jurisdictions where affected individuals reside.
Federal breach notification requirements
HIPAA requires covered entities to notify affected individuals and HHS within 60 days of discovering a breach involving PHI. For breaches affecting 500 or more individuals in a single state, media notification is also required. Business associates must notify the covered entity within 60 days of discovery.
GLBA requires financial institutions to notify their primary federal regulator as soon as possible, and no later than 30 days after discovery, of a breach involving customer financial information. Customer notification is required when the breach is reasonably likely to result in substantial harm.
The FTC Health Breach Notification Rule requires vendors of personal health records and related entities to notify affected individuals, the FTC, and in some cases the media following a breach. This rule applies to health apps and connected devices outside the HIPAA framework, a frequently overlooked obligation for technology companies handling health-related data.
State breach notification law variations
All 50 US states have enacted some form of breach notification law. The variations across states include:
Notification timing requirements ranging from 30 to 90 days after discovery
Different definitions of what constitutes "personal information" triggering notification
Different notification recipients (affected individuals, state attorney general, credit bureaus, or some combination)
Different thresholds for when notification is required (some states require notification regardless of harm risk; others apply a harm threshold)
California requires notification to affected residents "in the most expedient time possible and without unreasonable delay." Several states, including New York and Colorado, impose specific 30-day or 45-day deadlines.
72-hour response checklist
When you discover a potential data breach, the first 72 hours are critical:
Contain: Isolate affected systems, revoke compromised credentials, and prevent further unauthorized access
Assess: Determine what data was exposed, how many individuals are affected, and which jurisdictions apply
Notify legal: Engage your legal team and privacy counsel immediately to assess notification obligations
Document: Create a contemporaneous record of discovery, assessment steps, and decisions made, this documentation is essential for regulatory inquiries
Building a structured response plan before an incident occurs is the most effective way to meet notification deadlines. For a framework to build that plan, see our compliance strategy guide.
How to build a compliance-ready data infrastructure
Legal compliance is a design constraint, not an afterthought. For RevOps and GTM Engineering teams, the question after reading a state law tracker is not "do we need to comply?" but "how do we operationalize compliance in our data infrastructure without creating new maintenance debt?" Here is a practical framework.
1. Audit your data inventory
Before you can manage compliance obligations, you need to know what personal data you collect, where it lives, who has access to it, and how long you retain it. This includes data in your CRM, marketing automation platform, enrichment pipelines, web forms, and any third-party integrations. Most organizations discover during this audit that personal data is scattered across more systems than they expected, and that retention practices are inconsistent.
2. Map your compliance obligations
Use the state tracker and federal law guide above to identify which laws apply to your business based on your revenue, data volumes, and the geographies where you collect data. Pay particular attention to California's CCPA/CPRA if you collect any data from California residents in employment or B2B contexts, the removal of the B2B and HR exemptions under CPRA means most enterprise businesses with California employees or business contacts are covered.
3. Implement consent and opt-out mechanisms
Ensure your web forms, CRM intake workflows, and enrichment pipelines honor opt-out signals. This means building opt-out status as a field that persists through enrichment updates, not just a flag on the original lead record. If a contact opts out and your enrichment pipeline overwrites that flag during a batch update, you have a compliance gap.
4. Establish continuous enrichment governance
Batch data appends create point-in-time snapshots that decay immediately. Data accuracy obligations under CCPA/CPRA require that personal information be kept accurate and up to date, which means continuous enrichment pipelines, not annual batch refreshes, are the operational standard for compliance.
ZoomInfo processes 1.5B+ data points daily across 500M contacts, 100M companies, 135M+ verified phone numbers, and 200M+ verified business emails, with verification by 300+ human researchers and up to 95% accuracy on first-party data. That data foundation is what makes compliant continuous enrichment operationally viable. GTM Studio, ZoomInfo's codeless enrichment interface for RevOps and GTM Engineers, provides waterfall enrichment from 25+ sources at no additional cost, eliminating the engineering ticket dependencies that create enrichment lag and compliance gaps. Within GTM Studio, the GTM Context Graph acts as the intelligence layer that reasons across your privacy-compliant first-party and third-party signals, connecting CRM data, behavioral signals, and verified B2B data into a unified view that supports accurate scoring, routing, and forecasting without requiring manual data stitching across systems.
5. Document your data processing activities
Maintain a record of processing activities (ROPA) that documents what personal data you collect, the legal basis or business purpose for processing it, how long you retain it, and who has access. This documentation is required under GDPR and is increasingly expected by state regulators conducting audits. California's September 2025 cybersecurity audit regulations make this documentation directly relevant for CPPA compliance as well. ZoomInfo's compliance-governed access model, which routes data to RevOps teams through GTM Studio, to sellers through GTM Workspace, and to developers through APIs and MCP, ensures that the access lanes feeding your ROPA are auditable by design rather than reconstructed after the fact.
The five steps above define the operational standard. The next section explains how ZoomInfo's platform is built to support each one.
How ZoomInfo approaches data privacy and compliance
ZoomInfo is an all-in-one AI GTM Platform built on a foundation of verified B2B data, an intelligence layer that reasons across your GTM signals, and governed access controls, all designed to operate within the strictest privacy frameworks.
ZoomInfo holds ISO 27001, ISO 27701, SOC 2 Type II, and TRUSTe GDPR/CCPA certifications. ISO 27001 covers the information security management systems that protect the data ZoomInfo processes. ISO 27701 extends that framework specifically to privacy information management, governing how personal data is collected, used, and retained. SOC 2 Type II provides independent attestation that ZoomInfo's security, availability, and confidentiality controls operate effectively over time. TRUSTe GDPR/CCPA certification validates that ZoomInfo's privacy practices meet the requirements of both frameworks as assessed by an independent third party.
For RevOps and GTM Engineering teams, GTM Studio is the practical answer to the compliance-ready enrichment challenge. GTM Studio's codeless interface lets RevOps teams configure enrichment workflows, waterfall logic across 25+ data sources, and data governance rules without engineering dependencies. That means your opt-out flags, retention policies, and data accuracy obligations can be enforced at the enrichment layer, not patched in after the fact.
The platform's verified data foundation, continuous enrichment architecture, and auditable access controls are designed to support the compliance posture this article describes: a data infrastructure that knows what it holds, honors consumer rights in real time, and documents its processing activities for audit readiness.
To see how ZoomInfo's platform supports your compliance and data governance requirements, request a demo.
Frequently asked questions about US consumer data privacy laws
Which US states have comprehensive data privacy laws?
As of 2026, 22 states have enacted comprehensive data privacy laws. These include California (CCPA/CPRA), Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Texas, Florida, Maryland, Minnesota, Montana, Oregon, Delaware, New Hampshire, New Jersey, Kentucky, Nebraska, Rhode Island, Alabama (effective May 1, 2027), and Oklahoma (effective January 1, 2027). Each law has different applicability thresholds based on revenue, data volumes, and percentage of revenue from data sales. Businesses operating across multiple states should build their privacy program to satisfy the strictest applicable requirements, use our state privacy law tracker for the current full list.
What is the difference between CCPA and GDPR?
GDPR (EU) uses an opt-in consent model requiring a lawful basis for processing personal data, while CCPA (California) uses an opt-out model where data collection is permitted unless the consumer objects. GDPR applies to any organization processing EU residents' data regardless of location; CCPA applies to for-profit businesses meeting specific California revenue or data volume thresholds. GDPR penalties can reach 4% of global annual revenue; CCPA civil penalties are $2,500 per unintentional violation and $7,500 per intentional violation. Multinational companies need parallel compliance programs for both frameworks, our GDPR compliance guide covers the EU obligations in detail.
Is CCPA still in effect?
Yes. The original CCPA took effect January 1, 2020. The California Privacy Rights Act (CPRA) amended and expanded the CCPA, with its provisions effective January 1, 2023, and enforcement by the California Privacy Protection Agency commencing March 29, 2024. In September 2025, the CPPA approved additional regulations covering cybersecurity audits and risk assessments, meaning CCPA/CPRA compliance is an ongoing operational obligation, not a one-time implementation.
Does US data privacy law apply to B2B data?
California's CCPA/CPRA is unique among US state privacy laws in applying to personal information collected in both consumer and business-to-business contexts, including HR data. The CPRA removed the temporary B2B and HR data exemptions that existed under the original CCPA, effective January 1, 2023. Most other state comprehensive privacy laws, Virginia, Colorado, Connecticut, Utah, and others, exclude from their scope consumers acting in a commercial or employment context, meaning B2B data is generally exempt outside California. See our guide on sensitive personal data for more on the data categories that trigger heightened obligations under CCPA/CPRA.
What should businesses do to prepare for multiple state privacy law compliance?
Start with a data inventory: know what personal data you collect, where it lives, and who has access. Map your compliance obligations using the applicability thresholds for each state law (revenue, data volume, percentage of revenue from data sales). Implement consent and opt-out mechanisms in your web forms, CRM intake, and enrichment workflows. Adopt a highest-common-denominator approach, build your privacy program to satisfy California's CCPA/CPRA requirements and you will meet or exceed most other state law obligations. Document your data processing activities for audit readiness, particularly given California's new cybersecurity audit regulations effective 2025. For a structured framework, see our foolproof compliance strategy guide.
