State Privacy Laws Create New Corporate Liabilities

by John Jenkins

May 1, 2026

By Guest Blogger Yan Ross JD, Editor-in-Chief, Cyber Defense Magazine

 

Many consumer-related rights and liabilities begin at the State level; the growing trend for States to enact and enforce privacy laws began in California.  Privacy failures such as data breaches can also create multi-state litigation exposure.

 

Under the current provisions of the California Consumer Privacy Rights Act (CPRA), itself an extension of the prior Consumer Privacy Act (CCPA), not only can the State Attorney General bring an enforcement action, but consumers can also sue directly under certain provisions for private rights of action.

 

To be clear, The CPRA/CCPA does NOT create a private lawsuit for every violation. Consumers generally may sue only for certain data security failures leading to breaches.  And not every data element triggers suit rights.

 

In general, such private lawsuits arise mainly from data breaches, where the business failed to maintain reasonable security procedures, and where specified personal information is subject to one or more of these types of exploits:

  • unauthorized access
  • theft
  • disclosure
  • exfiltration
  • hacking

 

Not all types of personal information is covered, but these are often covered by State privacy legislation:

  • Social Security numbers
  • Driver license numbers
  • Financial account credentials
  • Medical information
  • Insurance data
  • Login credentials with passwords
  • Sensitive identifiers typically tied to identity theft risk

Accordingly, it is worth noting that the breach-related definition in most cases is narrower than the broad general “personally identifiable information” definition used in many other laws.

 

Many companies mistakenly think they need a physical California office to be subject to these provisions.  Physical Presence NOT Required.  A business may be covered even if located elsewhere, if it handles California resident data and meets certain thresholds.  The focus is consumer residency, not company location.

 

Other States with Relevant Privacy Laws

 

Without shouting “Fire” in a crowded theater, it’s still important to recognize that failure to maintain reasonable security procedures can result in corporate liabilities under the laws of California and a growing number of other States.

 

As of 2026, nearly 20 states have enacted comprehensive consumer privacy statutes. Many follow the model created by California through the California Consumer Privacy Act and California Privacy Rights Act.

 

States with major privacy rights laws include:

  • Virginia
  • Colorado
  • Connecticut
  • Utah
  • Texas
  • Oregon
  • Montana
  • Indiana
  • Tennessee
  • Iowa
  • Delaware
  • New Jersey
  • New Hampshire
  • Nebraska
  • Minnesota
  • Maryland

 

While most do NOT create the breadth of California-style consumer lawsuit rights, there are other types of litigation risks, such as breaches involving biometric information, deceptive trade practices, consumer fraud, HIPAA-related actions, and more general class action lawsuits.

 

SEC Regulation:

 

For public companies, privacy rights failures, especially data breaches, can trigger multiple SEC disclosure, governance, and securities-law obligations.  While the SEC does not regulate companies directly under privacy law, the SEC requires that investors be properly informed about cyber/privacy risk exposure.

 

Next month, we plan to elaborate on SEC reporting requirements based on cyber-related events, including a growing trend in the cybersecurity industry to provide early warnings of data breaches and prompt remedial actions.  In the age of artificial intelligence, and the ready availability of AI engines used by criminals, these developments will become an important point of concern for in house and outside securities counsel.

You can reach the author for additional information by email at yan.ross@cyberdefensemagazine.com