US privacy regulation is moving quickly. Instead of one federal GDPR-style law, organisations must navigate a growing patchwork of state-level laws with overlapping but not identical requirements.
GDPR Register helps you manage this as one integrated privacy programme, not 20 separate projects.
We support work aligned with laws such as:
- California – CCPA and CPRA
- Virginia – CDPA
- Colorado – CPA
- Connecticut – CTDPA
- Utah – UCPA
- Texas – TDPSA
- Florida – FDBR
- Oregon – OCPA
- Montana – MCDPA
- Iowa – ICDPA
- Delaware – DPDPA
- Nebraska – NDPA
- New Hampshire – NHPA
- New Jersey – NJDPL
- Tennessee – TIPA
- Minnesota – MCDPA
- Maryland – MODPA
One data inventory, many state laws
Rather than keeping separate spreadsheets for each state, GDPR Register lets you:
- Build a single, structured data inventory covering purposes, data categories, recipients and retention
- Tag processing activities by state coverage (for example CA, CO, VA) or by type of obligation (sale, sharing, targeted advertising, sensitive data)
- Reuse your core RoPA structure from GDPR and adapt it to state privacy concepts
- Import existing Excel inventories and consolidate them into one harmonised model
Consumer rights and opt-outs
US privacy laws give individuals rights that vary slightly by state but often include access, deletion, correction, portability and opt-outs for:
- Sale or sharing of personal data
- Targeted advertising
- Certain profiling activities
With GDPR Register you can:
- Track consumer rights requests in one register, with fields to indicate which state law applies
- Record opt-out preferences (sale/sharing, targeted ads, profiling) and link them to relevant systems and vendors
- Define workflows for how marketing, product and data teams must act on these requests
- Keep an audit trail of decisions, including where requests are limited by legal or operational constraints
Vendor and contract management
Many state laws place explicit duties on contracts with processors, service providers, third parties and “sale” or “sharing” partners.
GDPR Register helps you:
- Maintain a central vendor and partner register with flags for their role (processor, service provider, third party, contractor)
- Track key contractual terms required by state laws (for example purpose limitation, deletion, sub-processing controls, audit rights)
- Link vendors to the processing activities, data flows and states in which they operate
- Integrate vendor assessments into your overall privacy and security risk view
Risk assessments and high-risk activities
Several US laws require data protection assessments for high-risk activities such as targeted advertising, sale of personal data, sensitive data processing and certain profiling.
With GDPR Register you can:
- Run assessment workflows for high-risk use cases, using templates that can be aligned with state-law expectations
- Reuse your DPIA structure where appropriate and adapt questions to US requirements
- Use a risk matrix to evaluate likelihood and impact, and document mitigation measures
- Export assessment reports for internal governance and potential regulator enquiries
Avoiding fragmented, state-by-state compliance
The goal is not to build seventeen separate programmes. GDPR Register helps you:
- Start from a harmonised baseline of privacy controls and documentation
- Add state-specific fields, tags and views without duplicating records
- Use filters and dashboards to see which activities and vendors are in scope of which laws
- Keep consumer rights handling and opt-out processes consistent, with variations only where legally necessary
In short: GDPR Register lets you manage US state privacy laws as part of a unified, multi-jurisdiction framework. You keep a single view of data flows, consumer rights, vendor contracts and high-risk activities, while still being able to show how you meet the specific requirements of each state.