Mapping Data to the Shifting Panorama of Data Privacy Laws
How To Address the Ongoing Evolution of State Data Protection Laws
-
March 20, 2026
-
The U.S. continues to see an ongoing and dramatic increase in the number of states enacting general consumer data protection laws or amending the rigor of existing regulations. While California was the first state to implement a consumer privacy law in 2020, there are now 19 states that have enacted similar requirements and additional states have established other industry or data-specific privacy laws.1 With these developments, the number of regulatory inquiries and findings garnering public scrutiny towards businesses’ handling of personal data has accelerated, leaving legal and privacy teams under pressure to strengthen their privacy posture and improve data minimization practices.
Across the 19 states with privacy laws, many of the requirements imposed on businesses are similar, although there are notable differences related to right to know requests, third-party agreements, and artificial intelligence use. Underlying these privacy laws are requirements that will require many organizations to enhance their information governance practices to effectively comply. While cookies, online tracking tools and data sharing with third-parties and service providers are areas that regulators frequently scrutinize, some states are also beginning to incorporate language emphasizing the need to minimize data collection and segregate data based on defined processes.2 In California, recent amendments to the California Consumer Privacy Act require monitoring and reporting capabilities for businesses’ data protection assessments, which will open new avenues for regulators to initiate inquiries.3
Given this complex and continually shifting landscape, a critical area for organizations to reexamine to maintain compliance is their data mapping capabilities. Data maps are detailed inventories of systems that process personal information. Data flow diagrams illustrate how personal data traverses systems and how the personal data is used. These materials are essential for understanding where a businesses’ data lives, how it flows through and out of the organization, and, importantly, what data the organization has already collected from consumers. They are important tools to ensure operational compliance with many requirements in the new state privacy laws and demonstrate due diligence. It is essential that data maps be managed as living documents that maintain accurate reflections of the organization’s dynamic data universe, rather than a point in time snapshot that may quickly become outdated.
With the insights provided by a data map, privacy teams can improve effective delivery of data subject rights and better understand which of their third parties are processing data and how, to enforce contractual compliance. The process of developing or updating a data map also helps to understand use of personal data across the business, so privacy notices can be kept up to date and accurate as the business evolves. Additionally, these exercises make it easier to flag when the organization is retaining personal data that is no longer needed, so the data can be properly disposed.
Many new state privacy laws, such as new regulations in Maryland, focus on the concept of data minimization with respect to data collection.4 A data map can provide the foundation for meeting these requirements and a variety of emerging explicit and implied data minimization expectations present in many state laws.
For maximum efficacy, data maps and data minimization efforts should be aligned with the processes surrounding data protection assessments, which are also increasingly a feature of new laws. For example, data protection assessments should examine questions of data minimization when new high-risk products or services are designed.5 Without up-to-date data maps, it’s difficult to determine whether a processing activity is actually minimizing the personal data involved.
Another notable development is the U.S. Department of Justice’s new Bulk Data Transfer Rule, which takes a hardline approach to data transfers to third parties and sub-processes located in certain countries.6 It is essential that organizations understand how they process data to avoid violation of this new framework. Again, data mapping and analysis of the flows of personal data is necessary to evaluate whether cross-border data transfers are permissible within the scope of the rule.
The data privacy landscape continues to evolve in the U.S. and globally. Companies with rigorous information governance practices, including developing and maintaining data maps, will be well positioned to evaluate and maintain compliance with privacy laws as they change and become more strictly enforced. Data maps enable companies to implement effective data minimization practices, evaluate which third party relationships require privacy contracting for compliance, and improve a company’s posture for data rights management, data protection assessments and comprehensive privacy notices.
Increasingly, data maps must be treated as an essential tool and best practice in designing and managing resilient privacy and data protection compliance programs.
Footnotes:
1: IAPP. “US State Privacy Legislation Tracker” (updated Mar. 2, 2026).
2: Maryland Online Data Privacy Act, Md. Code Ann. §§ 14–4605(E)(7),14-4607(B) (articulating the requirement to collect and retain only the minimum amount of data necessary to perform a specific business function).
3: California Privacy Rights Act of 2020, as amended through 2025, Cal. Civ. Code §§ 1798.100-1798.199.100.
4: Maryland Online Data Privacy Act, supra note 2.
5: Id.
6: Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons, 90 Fed Reg. 1,636 (Jan. 8, 2025).
Related Insights
Published
March 20, 2026
Key Contacts