University of Pennsylvania Journal of International Law

Publication Date

Summer 2024

First Page


Document Type



This Article compares the material scope of several comprehensive consumer data privacy (or data protection) laws enacted recently in the United States, both with each other and with the European Union’s General Data Protection Regulation (“GDPR”). Our comparative analysis covers five broad state consumer data privacy laws enacted and in effect as of the end of 2023, specifically those adopted in California, Virginia, Colorado, Utah, and Connecticut. We contrast these against each other and the GDPR. We compare how each of these laws define and scope their subject matter (e.g., what constitutes “personal data”), how they define data subjects, what amounts to data processing, and which entities are obligated to respect the data subjects’ rights provided by these laws. We demonstrate how the existing state laws are more limited in most respects than the GDPR, and how their framing as consumer protection laws significantly limits their applicability and restricts their ability to adequately address the broad range of data privacy problems that confront contemporary society. Drawing on neorepublican political philosophy, we argue that most of these laws generally fail to adequately constrain commercial data markets in many contexts and that they also fail to address the problem of law enforcement agencies acquiring personal information from the commercial sector—ultimately raising concerns about domination and the potential for uncontrolled interference by both corporate and state interests in the private lives of the data subjects who ostensibly acquire rights. In the end, most of these “comprehensive” consumer data privacy laws at the state level in the United States do little to reign in corporate and state power to collect and use personal data in many contexts and represent a missed opportunity to provide much more significant protections for individual data privacy rights in the United States.