Partner
As of mid-2025, twenty States have enacted some version of a comprehensive consumer data privacy statute. Fourteen of those statutes are in full effect, with the remaining six to become effective by January 1, 2026. Given the “patchwork quilt” created by the overlapping and sometimes inconsistent statutes, there are a lot of potential legal pitfalls that companies must avoid when attempting compliance. Fortunately, none of the data protection statutes allow consumers to directly sue for alleged violations. However, no company wants to face an administrative enforcement action by a State’s Attorney General’s Office. In this article, the Consumer Data Protection Lawyers at Revision Legal highlight some legal pitfalls to avoid.
The largest potential pitfall is the assumption that the data protection statutes do not apply to your company or organization. If your company is making use of the internet — which means, basically, every company — then there is a potential that your company is a “covered entity” under at least one consumer data protection statute. Further, you may not think that your company is collecting data, but if your website uses cookies, your website could be collecting enough data to make your company subject to the data protection statutes. Further, collecting and processing consumer data for purposes of payment IS collecting and processing data as defined by some of the statutes. Some statutes require compliance where data is collected and processed for as few as 35,000 residents of the state per year. That is about 100 sales transactions a day (and assumes this is the ONLY type of consumer data collected).
Other pitfalls to avoid include assuming there is no need for compliance because your organization is a not-for-profit organization. While most of these statutes exempt not-for-profits, there are two notable exceptions: Delaware and Oregon.
A similar pitfall should be avoided based on the collection of personal data of employees and job applicants. Nearly all of the consumer data protection statutes exempt data collected and processed when an individual is acting in an “employment” capacity. However, California’s consumer protection statutes do not. Further, both Colorado and Illinois have separate statutes protecting the privacy of employees with respect to the use of biometric data — including the use of fingerprints.
The key lesson here is that compliance with consumer data protection statutes is legally and factually complex. You need to consult experienced and trusted legal advisers.
Other pitfalls to avoid include:
Contact the Consumer Data Privacy and Compliance Attorneys at Revision Legal
For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.
In May 2025, as part of a settlement of litigation involving college football, a new entity was created called the College Sports Commission (“CSC” or “Commission”). See news media reports here and here. Among many other purposes, the CSC will monitor and approve name, image, and likeness (“NIL”) agreements for college athletes. As the term […]
Read more about Fairness Factors For Your College NIL Agreement
Trademarks are words, designs, symbols, logos, and other things that are used/associated with goods or services that identify the specific commercial source of the goods/services. COCA-COLA, APPLE, and GUCCI are just a few famous examples. If COCA-COLA is on the bottle, consumers know what to expect from the beverage in the bottle. The same for […]
Read more about Is a “Fanciful” Trademark the Best Type of Trademark?
Getting an endorsement deal as a social media influencer may be a seminal event financially and for the progress of your career. However, the question always has to be asked whether your endorsement deal is fair. In other words, are you getting paid what you are worth? There are a number of factors that can […]
Read more about Is Your Social Media Influencer Endorsement Deal Fair?