As of mid-2025, twenty States have enacted some version of a comprehensive consumer data privacy statute. Fourteen of those statutes are in full effect, with the remaining six to become effective by January 1, 2026. Given the “patchwork quilt” created by the overlapping and sometimes inconsistent statutes, there are a lot of potential legal pitfalls that companies must avoid when attempting compliance. Fortunately, none of the data protection statutes allow consumers to directly sue for alleged violations. However, no company wants to face an administrative enforcement action by a State’s Attorney General’s Office. In this article, the Consumer Data Protection Lawyers at Revision Legal highlight some legal pitfalls to avoid.

The largest potential pitfall is the assumption that the data protection statutes do not apply to your company or organization. If your company is making use of the internet — which means, basically, every company — then there is a potential that your company is a “covered entity” under at least one consumer data protection statute. Further, you may not think that your company is collecting data, but if your website uses cookies, your website could be collecting enough data to make your company subject to the data protection statutes. Further, collecting and processing consumer data for purposes of payment IS collecting and processing data as defined by some of the statutes. Some statutes require compliance where data is collected and processed for as few as 35,000 residents of the state per year. That is about 100 sales transactions a day (and assumes this is the ONLY type of consumer data collected).

Other pitfalls to avoid include assuming there is no need for compliance because your organization is a not-for-profit organization. While most of these statutes exempt not-for-profits, there are two notable exceptions: Delaware and Oregon.

A similar pitfall should be avoided based on the collection of personal data of employees and job applicants. Nearly all of the consumer data protection statutes exempt data collected and processed when an individual is acting in an “employment” capacity. However, California’s consumer protection statutes do not. Further, both Colorado and Illinois have separate statutes protecting the privacy of employees with respect to the use of biometric data — including the use of fingerprints.

The key lesson here is that compliance with consumer data protection statutes is legally and factually complex. You need to consult experienced and trusted legal advisers.

Other pitfalls to avoid include:

• Improper or insufficient disclosures — every data protection statute requires some form of notice to consumers when data is being collected; one pitfall to avoid is having the wrong disclosure or having a disclosure that is not sufficiently detailed as required by the given statute
• Not locating disclosures and opt-outs prominently — hyperlinks to disclosures must be prominently displayed; the same is true for any opt-out options required by the statutes; one pitfall to avoid is not having these placed with sufficient prominence
• Failure with respect to appeal mechanisms — most of the new consumer data protection statutes require an “easy” appeal mechanism; one pitfall to avoid is failing to have an appeal mechanism, and/or failing to make the mechanism easy to find and easy to use
• Use of “dark patterns” — in more recent consumer data protection statutes, lawmakers are specifically legislating that consumer consent cannot be obtained through use of “dark patterns;” dark patterns are visual and other tricks that encourage the consumer to take the action desired by the company like offering a large green-colored “I consent” button while the “do not accept” button is red and small
• Failure to conduct data impact assessments — many newer consumer data protection statutes require the preparation and submission of a data impact assessment
• And more

Contact the Consumer Data Privacy and Compliance Attorneys at Revision Legal

For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.