Ultimate guide to US data privacy protection laws: Stay secure with Veriff

If your business onboards customers digitally, runs KYC checks, or processes identity data at scale, you already know that regulatory risk doesn’t stay neatly in one lane. Anti-money laundering requirements, fraud prevention obligations, and data privacy rules increasingly overlap, and right now, the privacy layer is getting more complex every year.

There’s still no federal privacy law in the US. Instead, regulated businesses must navigate a growing patchwork of state laws, each with its own thresholds, consumer rights, and rules around sensitive data. Three new laws in Indiana, Kentucky, and Rhode Island will take effect on January 1, 2026.

This guide covers what compliance teams, legal, risk, fraud, and product stakeholders at fintechs, banks, payment platforms, crypto businesses, marketplaces, and other digital businesses need to know: the current state-by-state picture, the practical steps to reduce operational risk, and where identity verification fits into your compliance posture.

1. Why regulated businesses face more privacy exposure

For decades, US privacy law was sectoral. If you were in financial services, FCRA and GLBA set the floor. Healthcare had HIPAA. Children’s data had COPPA. Everyone else largely operated in a gap.

That changed in 2020 when the California Consumer Privacy Act (CCPA) took effect. For the first time, a US state gave consumers the right to know what data was collected about them, request deletion, and opt out of data sales, regardless of which industry held the data. Its 2023 amendment, the California Privacy Rights Act (CPRA), created a dedicated enforcement agency and extended privacy protections to employees and job applicants.

Other states moved quickly. By 2025, more than 20 comprehensive state privacy laws were active or close to it. A federal law remains unlikely in the near term: the American Data Privacy and Protection Act of 2022 passed the House Energy and Commerce Committee with bipartisan support but never reached a floor vote, and the American Privacy Rights Act of 2024 met the same fate.

For regulated businesses, this matters more than it might for a generic SaaS company. You already process large volumes of sensitive personal information: identity documents, biometric data, financial records, behavioral signals used in fraud detection. That data profile attracts regulatory scrutiny. State privacy laws layer additional obligations on top of existing AML and KYC requirements, creating compliance complexity that touches your onboarding flows, vendor contracts, data retention policies, and product decisions.

The state-by-state framework is expanding, it applies to the data you already collect, and it demands a coordinated response across legal, compliance, and product teams.

2. State privacy laws: What regulated businesses need to know

Most US state privacy laws are based on the controller/processor model but differ in their thresholds, consumer rights, and sensitive-data rules. For businesses operating nationwide, it’s crucial to assess their obligations in each jurisdiction.

Today, more than two dozen states have active data privacy laws, including California (CCPA/CPRA), Colorado, Connecticut, Delaware, Florida, and Virginia. This list isn’t exhaustive, as new laws are regularly enacted and amended, but these frameworks currently define the compliance landscape.

The states that matter most for high-trust industries

California (CCPA/CPRA) remains the strictest, enforced by both the Attorney General and the California Privacy Protection Agency (CPPA). It is the only state that grants consumers a private right of action for certain security breaches — a meaningful litigation risk for businesses that handle large volumes of identity or financial data. If you onboard California residents, this law sets your highest bar.

Maryland (MODPA), effective October 1, 2025, is the most aggressive new law on sensitive data. It prohibits the outright sale of sensitive data regardless of consumer consent and allows collection only when strictly necessary to deliver a product or service. For businesses that process biometric data, government ID information, or financial identifiers as part of their onboarding workflows, Maryland’s data minimization requirements demand careful review.

Colorado (CPA) has been amended multiple times specifically to strengthen biometric and sensitive data protections, with the latest amendments taking effect July 1, 2025. Biometric data collected during identity verification — facial images, liveness checks — falls within this scope.Minnesota (MCDPA), effective July 31, 2025, requires mandatory privacy impact assessments and carries strong opt-out rights. Businesses running automated decisioning in fraud prevention or credit underwriting should assess how this intersects with existing model governance obligations.

Stay Secure

Learn more about Veriff’s state-of-the-art security practices and how we ensure your data remains secure at all times.

Talk to us

Tennessee (TIPA), effective July 1, 2025, offers an affirmative defense for businesses that follow the NIST Privacy Framework. If your compliance program is already aligned with NIST, documenting that alignment proactively creates a meaningful legal buffer.

Florida (FDBR) takes a narrower path, targeting primarily large technology companies with an emphasis on children’s data and social media platforms. If you’re not a dominant platform, you may fall outside its scope — but verify this against the specific thresholds before assuming exemption.

Utah (UCPA) sits at the lighter end of the spectrum. Consumer rights are more limited than in most peer states — data correction and the right to object to automated decision-making are not included. That said, lighter consumer rights don’t mean lower operational requirements; your data mapping and processing agreements still need to hold up.

Iowa (ICDPA) skips data protection impact assessments entirely, reducing one compliance burden — but that alone won’t simplify a multi-state compliance program.

The 2026 additions

Three laws joined the landscape on January 1, 2026, each with a distinct focus:

• Indiana (Indiana Consumer Data Protection Act, InCDPA) stands out for its permanent 30-day right to cure — one of the few such provisions without an expiration date. It follows the standard controller/processor model and offers a meaningful runway for businesses to remediate compliance gaps before enforcement escalates.
• Kentucky (KCDPA) introduces restrictions on automated content recognition (ACR) data. An April 2026 amendment will prohibit collecting ACR data without consumer consent from July 1, 2027.
• Rhode Island (DTPPA) centers on transparency. Businesses must clearly and accessibly disclose their data practices to consumers — a requirement that directly affects privacy notice design and the disclosures embedded in onboarding flows.

Thresholds: who is covered?

Most state laws trigger coverage based on volume: commonly 100,000 consumers processed per year, or 25,000 if a meaningful share of revenue derives from data sales. For fintechs, banks, and digital platforms operating at scale, you will hit these thresholds in multiple states simultaneously. Don’t assume a single law applies — map your user base geographically.

3. Practical compliance steps for regulated businesses

Privacy compliance in regulated industries isn’t a separate workstream from your KYC, AML, or fraud obligations — it runs through the same data, the same systems, and often the same teams. These steps are designed for businesses where compliance complexity is already high.

Map your data with verification workflows in mind. Know what personal data you collect, where it originates, how long you retain it, and who can access it. For businesses running identity verification, this includes document images, extracted data fields, biometric samples, device signals, and risk scores. Each of these may qualify as sensitive data under one or more state laws. Data mapping isn’t a one-time exercise; it needs to stay current as your product and vendor stack evolve.

Review your vendor and processor agreements. Under the controller/processor model, your identity verification provider, fraud detection vendor, and data enrichment partners are processors. You are the controller. That means you’re responsible for what they do with the data you share. Review your data processing agreements to confirm they include the required contractual protections under applicable state laws, address data minimization and retention limits, and specify the permitted purposes for processing.

Build privacy into onboarding flows, not around them. Consumer rights: access, deletion, correction, opt-out, need to be operationally functional, not just disclosed in a privacy policy. For businesses with complex onboarding journeys, this means your product and engineering teams need to understand what data can be deleted post-verification and what must be retained for regulatory reasons, and how those two obligations interact. AML record-keeping requirements and privacy deletion rights will sometimes conflict; get clear on which law takes precedence and document that analysis.

Apply extra scrutiny to sensitive data. Several states, Maryland especially, but also Colorado and Minnesota, impose stricter obligations on biometric data, government identifiers, financial account data, and health information. If your onboarding process captures any of these, audit your legal basis for processing, confirm your retention periods are defensible, and ensure your privacy notices accurately describe what you collect and why.

Treat compliance as an ongoing program, not a deadline. Laws are amended frequently. Colorado has already been updated multiple times, Oregon amended its data sale provisions in 2025, and New Hampshire amendments are already underway. Schedule regular reviews of your compliance posture against current requirements. For regulated businesses, a privacy law update can interact unexpectedly with an existing AML policy or a product feature rollout. Build the review cadence into your risk management calendar.

Train the teams that touch personal data. Privacy isn’t owned by legal teams alone. Fraud analysts, onboarding product managers, customer success teams, and third-party vendor managers all handle personal data or make decisions that affect it. Basic training on consumer rights requests, incident response triggers, and data handling obligations reduces the risk of operational failures that create regulatory exposure.

Get qualified legal advice specific to your business. This guide is an overview, not legal advice. Your obligations depend on your business model, the states where you operate, the data you process, and how your existing regulatory obligations intersect with state privacy requirements. Work with counsel who understands both your industry and the evolving state law landscape.

4. How Veriff supports privacy-conscious identity verification

For regulated industries, compliance doesn’t stop at privacy policies. Identity verification sits at the intersection of KYC, AML, fraud prevention, and data protection — and how you run verification directly affects your privacy exposure.

Veriff uses AI and machine learning to authenticate identity documents and confirm user identities accurately and efficiently. The platform processes identity data as a data processor, not a controller — meaning the legal responsibility for data collection decisions rests with you, and Veriff’s role is to execute verification within the parameters you set. That structure matters under the controller/processor model that underpins most US state privacy laws.

On data minimization: Veriff’s verification sessions are designed to collect what is necessary for the verification purpose and no more. Document images and biometric data captured during a session are subject to defined retention periods, not held indefinitely. The data processing agreement sets out those retention limits, the permitted processing purposes, and the contractual protections required under applicable state laws — including provisions for handling deletion requests and responding to consumer rights inquiries that may affect verification records.

Veriff’s handling of biometric data, such as facial images and liveness signals, is governed by explicit DPA terms rather than default vendor policies. This is particularly important for a data category with heightened obligations under various state laws.

For compliance, legal, and product teams evaluating identity verification vendors, the right questions go beyond accuracy rates: What data does the vendor retain, and for how long? What are the contractual protections in the DPA? How does the vendor handle deletion requests that conflict with their own retention policies? How do they address sensitive data categories under state-specific rules? Veriff is designed to answer those questions clearly, so your verification program strengthens your compliance posture rather than complicating it.

Conclusion

US data privacy regulation is no longer a secondary issue for businesses. It’s a direct operational risk affecting your onboarding, vendor relationships, fraud prevention, and product design. With more than a dozen states now having their own laws, the compliance map is growing. The strictest regulations in states like California, Maryland, and Minnesota specifically target the biometric and identity data you’re already processing.

The businesses best positioned to scale across jurisdictions without accumulating hidden liability are the ones treating privacy compliance as part of their broader risk framework rather than a standalone legal checkbox: mapping data continuously, pressure-testing vendor agreements, building deletion and access rights into products rather than around them, and reviewing their posture as laws change.

That review cadence matters more than it did two years ago. With new laws taking effect and existing ones being amended — often in ways that interact with AML or fraud prevention obligations — privacy compliance is now a live operational discipline, not a project with a completion date.

If identity verification is part of your compliance stack, make sure your provider can support your obligations, not just your conversion rate.

Veriff does not provide legal advice. This article is intended for informational purposes only. Always consult qualified legal counsel or privacy specialists regarding your specific data protection and privacy obligations.