As of mid-2025, twenty States have enacted some version of a comprehensive consumer data privacy statute. Fourteen of those statutes are in full effect, with the remaining six to become effective by January 1, 2026. Given the “patchwork quilt” created by the overlapping and sometimes inconsistent statutes, there are a lot of potential legal pitfalls that companies must avoid when attempting compliance. Fortunately, none of the data protection statutes allow consumers to directly sue for alleged violations. However, no company wants to face an administrative enforcement action by a State’s Attorney General’s Office. In this article, the Consumer Data Protection Lawyers at Revision Legal highlight some legal pitfalls to avoid.

The largest potential pitfall is the assumption that the data protection statutes do not apply to your company or organization. If your company is making use of the internet — which means, basically, every company — then there is a potential that your company is a “covered entity” under at least one consumer data protection statute. Further, you may not think that your company is collecting data, but if your website uses cookies, your website could be collecting enough data to make your company subject to the data protection statutes. Further, collecting and processing consumer data for purposes of payment IS collecting and processing data as defined by some of the statutes. Some statutes require compliance where data is collected and processed for as few as 35,000 residents of the state per year. That is about 100 sales transactions a day (and assumes this is the ONLY type of consumer data collected).

Other pitfalls to avoid include assuming there is no need for compliance because your organization is a not-for-profit organization. While most of these statutes exempt not-for-profits, there are two notable exceptions: Delaware and Oregon.

A similar pitfall should be avoided based on the collection of personal data of employees and job applicants. Nearly all of the consumer data protection statutes exempt data collected and processed when an individual is acting in an “employment” capacity. However, California’s consumer protection statutes do not. Further, both Colorado and Illinois have separate statutes protecting the privacy of employees with respect to the use of biometric data — including the use of fingerprints.

The key lesson here is that compliance with consumer data protection statutes is legally and factually complex. You need to consult experienced and trusted legal advisers.

Other pitfalls to avoid include:

• Improper or insufficient disclosures — every data protection statute requires some form of notice to consumers when data is being collected; one pitfall to avoid is having the wrong disclosure or having a disclosure that is not sufficiently detailed as required by the given statute
• Not locating disclosures and opt-outs prominently — hyperlinks to disclosures must be prominently displayed; the same is true for any opt-out options required by the statutes; one pitfall to avoid is not having these placed with sufficient prominence
• Failure with respect to appeal mechanisms — most of the new consumer data protection statutes require an “easy” appeal mechanism; one pitfall to avoid is failing to have an appeal mechanism, and/or failing to make the mechanism easy to find and easy to use
• Use of “dark patterns” — in more recent consumer data protection statutes, lawmakers are specifically legislating that consumer consent cannot be obtained through use of “dark patterns;” dark patterns are visual and other tricks that encourage the consumer to take the action desired by the company like offering a large green-colored “I consent” button while the “do not accept” button is red and small
• Failure to conduct data impact assessments — many newer consumer data protection statutes require the preparation and submission of a data impact assessment
• And more

Contact the Consumer Data Privacy and Compliance Attorneys at Revision Legal

For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.

The Patchwork Problem: Navigating 20-Plus State Data Laws

As of mid-2025, no federal comprehensive consumer data privacy law has been enacted in the United States. The result is a patchwork of state laws with overlapping scopes, inconsistent definitions, and varying enforcement mechanisms. Some key differences between the major state statutes that create compliance complexity:

• California (CCPA/CPRA) — applies to businesses meeting any one of three thresholds: $25 million in annual gross revenue; processing personal data of 100,000 or more consumers or households; or deriving 50% or more of revenue from selling personal data; includes a private right of action for data breaches
• Virginia (VCDPA) — applies to businesses controlling or processing personal data of 100,000 or more Virginia residents, or 25,000 or more residents where more than 50% of revenue comes from data sales; no private right of action
• Colorado (CPA) — applies to businesses that control or process personal data of 100,000 or more Colorado consumers per year or 25,000 or more consumers from whom the controller derives revenue; requires a universal opt-out mechanism
• Texas (TDPSA) — applies broadly to any business conducting business in Texas or targeting Texas consumers that processes personal data, without the revenue thresholds common in other states

Rights You Must Honor and How to Build a Compliance Program

Most state consumer data privacy statutes give consumers a similar set of rights with respect to their personal data. These typically include:

• Right to access — consumers can request confirmation of whether their data is being processed and obtain a copy of the data
• Right to correction — consumers can request correction of inaccurate personal data
• Right to deletion — consumers can request deletion of their personal data (subject to certain exceptions)
• Right to portability — consumers can request their data in a portable format
• Right to opt out of targeted advertising, sale of personal data, and profiling
• Right to appeal — if a business denies a consumer rights request, the consumer must be given a mechanism to appeal the denial

Building a compliance program requires: (1) a data mapping exercise to identify what personal data is collected, from whom, for what purposes, and with whom it is shared; (2) a privacy notice that accurately describes these practices; (3) a mechanism to receive and respond to consumer rights requests within the statutory deadlines (typically 45 days, extendable by 45 days); and (4) data processing agreements with all vendors that receive personal data.

Enforcement Trends and the Risk of Non-Compliance

State attorneys general have begun actively enforcing consumer data privacy laws. The California Attorney General has conducted enforcement sweeps focused on specific industries and practices, resulting in substantial settlements. Connecticut and Colorado have issued enforcement guidance and have initiated civil investigative demands against businesses operating in their states.

Civil penalties under most state statutes range from $7,500 to $20,000 per intentional violation. Some statutes, like Texas’s TDPSA, impose penalties up to $7,500 per violation per day. For a business that processes personal data of millions of consumers without adequate disclosure or consent mechanisms, the potential penalty exposure is enormous.

Contact the Attorneys at Revision Legal

If you have questions or need legal advice, contact the experienced attorneys at Revision Legal. Our team handles data privacy compliance matters for businesses and individuals nationwide. Call us at (855) 473-8474 or use the contact form on our website.