US State Privacy Laws
- Executive Summary
- Working Knowledge
- Technical Spec
The United States does not have a comprehensive federal privacy law equivalent to the GDPR. Instead, privacy is governed by a growing patchwork of state laws, with California's CCPA/CPRA being the most comprehensive and serving as the de facto national standard. As of early 2026, over 20 states have enacted comprehensive consumer privacy laws, with more pending. This creates a complex compliance landscape for any platform operating nationally — and it is only getting more complex.
Per ADR-001: US-First Market Strategy, ReGenesis launches in the US market first. This means US state privacy laws are not a future concern — they are an immediate, day-one requirement. The initial target client base includes organizations headquartered across multiple states with employees in all 50 states. Every state where a coachee resides is a state whose privacy law applies to the platform.
ReGenesis's compliance strategy is straightforward:
- CCPA/CPRA as the regulatory floor — California has the broadest and strictest state privacy law, so satisfying California satisfies most other states
- GDPR as the design ceiling — GDPR is more demanding than any US state law in nearly every dimension, so building to GDPR standards automatically covers US requirements
- Targeted additions for US-specific requirements — A small number of provisions are unique to US law (e.g., "Do Not Sell" link, Global Privacy Control signal, state-specific breach notification timelines)
The critical commitment: ReGenesis does not sell personal data. This is not just a legal position — it is a fundamental business principle. Revenue comes from enterprise coaching subscriptions, not from data monetization. This eliminates the most contentious and complex area of US privacy law (sale/sharing opt-out rights) and simplifies compliance across all state laws.
The business case for multi-state compliance: Enterprise clients operate nationally. They need vendors who can demonstrate compliance with the privacy laws of every state where their employees reside. A vendor who only handles California compliance creates legal risk for the client. ReGenesis's GDPR-grade architecture, combined with a state-specific jurisdiction resolver, provides national coverage from day one.
CCPA/CPRA: The US Privacy Baseline
What Is CCPA/CPRA?
- CCPA (California Consumer Privacy Act): Original law, effective January 1, 2020
- CPRA (California Privacy Rights Act): Amended and significantly strengthened CCPA, effective January 1, 2023
- CPPA (California Privacy Protection Agency): Dedicated enforcement agency created by CPRA — the first state-level privacy enforcement agency in the US
- Applicability: Businesses that collect personal information of California residents and meet certain thresholds (revenue, data volume, or revenue from selling data)
Does CCPA/CPRA Apply to ReGenesis?
| Threshold | CCPA/CPRA Requirement | ReGenesis Status |
|---|---|---|
| Annual gross revenue > $25M | Yes, if collecting CA resident data | Will apply once revenue threshold is met |
| Buy/sell/share data of 100K+ consumers/households | Yes | May apply at scale |
| 50%+ revenue from selling/sharing data | Yes | Does not apply — ReGenesis does not sell data |
Bottom line: CCPA/CPRA will apply to ReGenesis once the platform serves California-based enterprise clients with enrolled coachees who are California residents. Given the initial target market's significant California operations, this is effectively a day-one requirement.
Key CCPA/CPRA Consumer Rights
| Right | Description | ReGenesis Implementation |
|---|---|---|
| Right to Know | What personal information is collected, used, disclosed, and sold | Self-service data dashboard + detailed privacy notice |
| Right to Delete | Request deletion of personal information collected | Per-user deletion pipeline with cryptographic deletion certificate |
| Right to Opt-Out of Sale/Sharing | Opt out of sale or sharing of personal information for cross-context behavioral advertising | N/A in practice (ReGenesis does not sell or share) but "Do Not Sell" link included regardless |
| Right to Correct | Correct inaccurate personal information | In-app profile editing + formal DSR channel for complex corrections |
| Right to Limit Use of Sensitive PI | Limit use and disclosure of sensitive personal information to what is necessary | Consent management for sensitive content; sensitive data vault with explicit consent |
| Right to Non-Discrimination | Cannot discriminate against consumers who exercise their privacy rights | Platform access and functionality unaffected by rights exercise |
| Right to Know About Automated Decision-Making (CPRA) | Information about automated decision-making technology and profiling | AI profile transparency, Evidence Packs, Automated Decisions page |
Sensitive Personal Information Under CPRA
CPRA defines "sensitive personal information" with enhanced protections. Consumers have the right to limit the use and disclosure of their sensitive PI to what is necessary for the service:
| Category | Applicable to ReGenesis? | Handling |
|---|---|---|
| Social Security, driver's license, passport numbers | No — not collected | N/A |
| Financial account details (with access credentials) | No — Stripe handles payments | N/A |
| Precise geolocation (within 1,750 feet) | No — not collected | N/A |
| Racial or ethnic origin | Possibly — may arise in coaching conversations | Sensitive content detection + vault |
| Religious or philosophical beliefs | Possibly — may arise in coaching conversations | Sensitive content detection + vault |
| Union membership | No — not collected | N/A |
| Contents of mail, email, text messages (unless directed to business) | No — ReGenesis is not an email provider | N/A |
| Genetic data | No — not collected | N/A |
| Biometric data for identification | No — not collected | N/A |
| Health information | Yes — coaching content frequently includes health-adjacent data | Sensitive content detection + vault + explicit consent |
| Sex life or sexual orientation | Possibly — may arise in coaching conversations | Sensitive content detection + vault |
Key takeaway: The most relevant sensitive PI category for ReGenesis is health information. Coaching conversations naturally touch on stress, burnout, mental health, work-life balance, and other health-adjacent topics. The sensitive content detection system automatically flags this content and routes it to the sensitive data vault with enhanced protections. This is the same mechanism that satisfies GDPR Article 9 (special category data), so building to GDPR covers the CPRA sensitive PI requirement.
The US State Privacy Patchwork: Comprehensive Comparison
Beyond California, the following states have enacted comprehensive privacy laws. The trend is accelerating — within 2-3 years, a majority of US states will have comprehensive privacy laws, and a federal law may emerge.
Tier 1: Major Enacted Privacy Laws
| State | Law | Effective | Revenue Threshold | Consumer Threshold | Private Right of Action | Enforcement |
|---|---|---|---|---|---|---|
| California | CCPA/CPRA | 2020/2023 | $25M | 100K consumers | Yes (data breaches only) | CPPA + AG |
| Virginia | VCDPA | Jan 2023 | None | 100K consumers OR 50% revenue from data | No | AG only |
| Colorado | CPA | Jul 2023 | None | 100K consumers OR 25K consumers + revenue from data | No | AG only |
| Connecticut | CTDPA | Jul 2023 | None | 100K consumers OR 25K consumers + 25% revenue from data | No | AG only |
| Utah | UCPA | Dec 2023 | $25M | 100K consumers OR 25K consumers + 50% revenue from data | No | AG only |
Tier 2: Enacted Laws (2024-2026)
| State | Law | Effective | Key Distinctions from California |
|---|---|---|---|
| Oregon | OCPA | Jul 2024 | Includes nonprofits; broad sensitive data definition; 45-day cure period (sunsets 2026) |
| Texas | TDPSA | Jul 2024 | Applies to ALL businesses (no revenue threshold); 30-day cure period |
| Montana | MCDPA | Oct 2024 | Low threshold (50K consumers); no revenue threshold |
| Iowa | ICDPA | Jan 2025 | Narrower scope; 90-day cure period; no opt-out for targeted advertising by default |
| Delaware | DPDPA | Jan 2025 | Broad scope; includes nonprofits; low threshold (35K consumers) |
| New Hampshire | NHPA | Jan 2025 | Similar to Connecticut; 35K consumer threshold |
| New Jersey | NJDPA | Jan 2025 | Broad scope; low threshold (100K consumers, no revenue exemption); strong sensitive data provisions |
| Nebraska | NDPA | Jan 2025 | Similar to Texas (applies to all businesses) |
| Maryland | MODPA | Oct 2025 | Strongest data minimization requirements in US; purpose limitation provisions approaching GDPR |
| Minnesota | MCDPA | Jul 2025 | Includes specific profiling provisions; consumer right to question profiling results |
| Tennessee | TIPA | Jul 2025 | Affirmative defense for businesses with compliance programs; 60-day cure period |
| Indiana | INCDPA | Jan 2026 | Similar to Virginia model; 30-day cure period |
| Kentucky | KCDPA | Jan 2026 | Similar to Virginia model; 30-day cure period |
| Rhode Island | RIDPA | Jan 2026 | Includes specific health data provisions beyond standard sensitive data |
Tier 3: Enacted with Future Effective Dates / Pending
Several additional states have enacted laws with effective dates in 2026-2027 or have active legislation. The trajectory is clear: comprehensive state privacy legislation is becoming the norm, not the exception.
Consumer Rights Comparison by State
Not all state laws grant the same rights. Here is a comparison of the key consumer rights across major state privacy laws:
| Right | CA (CPRA) | VA | CO | CT | UT | TX | OR | MD |
|---|---|---|---|---|---|---|---|---|
| Right to access/know | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Right to delete | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Right to correct | Yes | Yes | Yes | Yes | No | Yes | Yes | Yes |
| Right to portability | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Right to opt-out of sale | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Right to opt-out of targeted advertising | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Right to opt-out of profiling | Yes | Yes | Yes | Yes | No | Yes | Yes | Yes |
| Right to limit sensitive data use | Yes | Consent required | Consent required | Consent required | Consent required | Consent required | Consent required | Consent required |
| Right to non-discrimination | Yes | No | No | No | No | No | No | Yes |
| Right to appeal denial | No | Yes | Yes | Yes | No | Yes | Yes | No |
| Right re: automated decisions | Yes (CPRA) | Yes | Yes | Yes | No | No | Yes | Yes |
Key takeaway: California (CPRA) grants the broadest set of rights. If the platform satisfies CPRA, it satisfies the rights requirements of every other state. The only rights that some states add beyond CPRA are appeal rights (the right to appeal a denial of a privacy request) — which ReGenesis supports regardless because it is good practice. The GDPR-grade architecture provides all of these rights out of the box.
Opt-Out Requirements
Opt-out requirements are one of the most practically complex areas of US state privacy law. Different states require different mechanisms:
"Do Not Sell or Share" Requirements
| Requirement | States | ReGenesis Approach |
|---|---|---|
| "Do Not Sell" link on website | CA, CO, CT, VA, and others | Include link in website footer and platform settings |
| "Do Not Share" link on website | CA (CPRA added "sharing") | Same link covers both sale and sharing |
| Honor Global Privacy Control (GPC) signal | CA, CO, CT, MT | Detect Sec-GPC header and navigator.globalPrivacyControl; honor automatically |
| Universal opt-out mechanism | CO (mandatory), CA (CPPA rulemaking) | GPC signal handling + privacy settings toggle |
The ReGenesis simplification: Because ReGenesis does not sell or share personal data for cross-context behavioral advertising, the opt-out mechanism is effectively confirmatory. When a user clicks "Do Not Sell" or sends a GPC signal, the platform confirms that no data is sold and offers additional privacy controls. This turns a compliance burden into a trust-building moment.
Opt-Out for Targeted Advertising
Most state laws give consumers the right to opt out of targeted advertising. ReGenesis does not engage in targeted advertising (it is a B2B SaaS platform, not an ad-supported service), so this does not apply. However, this position is documented clearly in the privacy notice to satisfy disclosure requirements.
Opt-Out for Profiling
Several states (CA, VA, CO, CT, OR, MD, MN) give consumers the right to opt out of profiling that produces legal or similarly significant effects. Sasha's behavioral profiling for coaching purposes does not typically produce "legal or similarly significant effects" (it does not affect employment decisions, credit, insurance, etc.), but ReGenesis provides the opt-out capability regardless because:
- It is consistent with GDPR Article 22 compliance (right not to be subject to automated decisions)
- It demonstrates respect for user autonomy (PbD Principle 7)
- Some state AGs may interpret "similarly significant effects" broadly
See Automated Decisions for the full treatment of profiling and automated decision-making.
How GDPR-Grade Architecture Satisfies All US State Requirements
This is the core insight of the ReGenesis compliance strategy: by building to GDPR standards (per ADR-001), the platform automatically satisfies the vast majority of US state privacy requirements. Here is the detailed comparison:
| Requirement Area | GDPR | US State Laws (Strictest) | ReGenesis Approach | Gap? |
|---|---|---|---|---|
| Lawful basis for processing | Required (6 bases) | Not required (opt-out model) | Build to GDPR | No gap |
| Privacy notice | Detailed (Art. 13-14) | Required but less detailed | Build to GDPR | No gap |
| Right to access | Art. 15 (broad) | CCPA Right to Know | Build to GDPR | No gap |
| Right to delete | Art. 17 (broad, with exceptions) | CCPA/state deletion rights | Build to GDPR | No gap |
| Right to portability | Art. 20 | Some states (limited) | Build to GDPR | No gap |
| Right to correct | Art. 16 | CPRA + most states | Build to GDPR | No gap |
| Data minimization | Explicit principle (Art. 5(1)(c)) | Maryland (strongest US) | Build to GDPR | No gap |
| Consent for sensitive data | Art. 9 (explicit consent) | CPRA (limit use right) | Build to GDPR | No gap |
| Breach notification | 72 hours to authority | Varies: 30-72 hours to AG | Build to GDPR + state rules | Small gap: state-specific timelines and AG notification thresholds |
| DPO requirement | Conditional (Art. 37) | Not required | Appoint regardless | No gap |
| DPIA requirement | Required for high-risk (Art. 35) | Not required | Conduct regardless | No gap |
| Do Not Sell link | N/A | CCPA + others | Add: CCPA-specific | US-specific addition |
| GPC/universal opt-out | N/A | CO, CA, CT, MT | Add: GPC signal handler | US-specific addition |
| State breach notification routing | N/A | All 50 states + DC | Add: per-state routing | US-specific addition |
| Cure periods | N/A | Varies by state | Add: tracking | US-specific addition |
Bottom line: Building to GDPR covers approximately 90% of US state privacy requirements. The remaining 10% is US-specific additions (Do Not Sell link, GPC signal, state-specific breach notification rules) that are straightforward to implement on top of the GDPR baseline.
Per-State Notice Requirements
Each state has specific requirements for privacy notices. The key differences:
| Requirement | CA (CPRA) | VA | CO | CT | Other States |
|---|---|---|---|---|---|
| Categories of PI collected | Required (12 months) | Required | Required | Required | Generally required |
| Categories of sources | Required | Not required | Not required | Not required | Varies |
| Business purpose for collection | Required | Required | Required | Required | Generally required |
| Categories of third parties | Required | Required | Required | Required | Generally required |
| Whether PI is sold/shared | Required | Required | Required | Required | Generally required |
| Retention periods | Required (CPRA) | Not required | Not required | Not required | MD requires |
| Right to opt-out description | Required | Required | Required | Required | Generally required |
| Sensitive PI categories | Required (CPRA) | Consent required | Consent required | Consent required | Varies |
| Automated decision-making disclosure | Required (CPRA) | Not required | Required | Required | Varies |
Key takeaway: ReGenesis maintains a single, comprehensive privacy notice that satisfies California's requirements (the strictest). This one notice, combined with state-specific addenda for unique requirements, provides national coverage. The notice is written in plain English (consistent with GDPR Article 12's "concise, transparent, intelligible" requirement) and is presented prominently in the platform and on the website.
Enforcement Mechanisms
Understanding who enforces these laws and how matters for risk assessment:
| State | Enforcement Agency | Private Right of Action? | Maximum Penalties | Cure Period |
|---|---|---|---|---|
| California | CPPA + AG | Yes (data breaches only, $100-$750/consumer/incident) | $2,500/violation; $7,500/intentional violation | None (CPRA removed cure period) |
| Virginia | AG only | No | $7,500/violation | 30 days (permanent) |
| Colorado | AG only | No | CPA penalties | 60 days (sunsets Jan 2025) |
| Connecticut | AG only | No | $5,000/violation (CUTPA) | 60 days (sunsets Dec 2024) |
| Utah | AG only | No | $7,500/violation | 30 days (permanent) |
| Texas | AG only | No | $7,500/violation | 30 days |
| Oregon | AG only | No | $7,500/violation | 30 days (sunsets 2026) |
| New Jersey | AG only | No | $10,000/first; $20,000/subsequent | 30 days (sunsets 18 months) |
| Maryland | AG only | No | $10,000/violation; $25,000/subsequent | None |
California is the only state with a dedicated privacy enforcement agency (CPPA) and a private right of action for data breaches. This means California residents can sue directly (not just rely on the AG). For ReGenesis, California compliance is not just a regulatory checkbox — it is a litigation risk management priority. Enterprise clients have significant California operations, so this applies from day one.
Key takeaway: California is the state that matters most, both because of the breadth of the law and because of the enforcement risk. The CPPA is actively issuing regulations, conducting audits, and bringing enforcement actions. The private right of action for data breaches means that a breach affecting California residents could result in class action lawsuits ($100-$750 per consumer per incident, which adds up fast). The GDPR-grade security architecture is the best defense.
The "Do Not Sell" Commitment
Even though ReGenesis does not sell personal data, CCPA and other state laws require specific compliance steps:
- Include "Do Not Sell or Share My Personal Information" link on website footer and platform settings
- Honor Global Privacy Control (GPC) browser signal as a valid opt-out request
- Record and log any opt-out requests received through these mechanisms
- Confirm in response that no data is sold, and offer additional privacy controls
- Annual disclosure in privacy notice that no personal information was sold or shared in the preceding 12 months
When an enterprise CISO or DPO sees "ReGenesis does not sell personal data" backed by a contractual commitment in the DPA, a technical architecture that has no data broker integrations, and a "Do Not Sell" link that confirms this — that is a trust signal that competitors who monetize data cannot match. The business model IS the compliance strategy.
Multi-State Compliance Overview
The US has been considering comprehensive federal privacy legislation (such as the American Data Privacy and Protection Act) for years. If enacted, a federal law may preempt some state laws and simplify compliance. ReGenesis monitors federal legislative activity but does not depend on a federal law being passed. The state-by-state compliance posture is robust, and a federal law would likely reduce the compliance burden, not increase it. In the meantime, the GDPR-grade architecture provides the strongest possible foundation regardless of how the US regulatory landscape evolves.