State Privacy Laws Every Tax Professional Should Understand

While federal regulations like the FTC Safeguards Rule set baseline security requirements for tax professionals, an increasingly complex landscape of state privacy laws adds additional obligations. Understanding these laws—especially if you serve clients in multiple states—is essential for compliance and risk management.

The Rise of State Privacy Legislation

Since California passed the California Consumer Privacy Act (CCPA) in 2018, numerous states have enacted their own comprehensive privacy laws. Each law has its own nuances, but they generally grant consumers rights over their personal information and impose obligations on businesses that collect and process such information.

For tax professionals, these laws can apply in multiple ways. You may be subject to the laws of the state where your practice is located, the states where your clients reside, or both. Determining exactly which laws apply to your practice requires careful analysis of each law's scope and applicability provisions.

California's Privacy Framework

The CCPA, as amended by the California Privacy Rights Act (CPRA), is the most comprehensive state privacy law. It grants California residents rights to know what personal information is collected about them, to delete their information, to opt out of the sale of their information, and to not be discriminated against for exercising these rights.

Tax professionals serving California clients need to consider whether they meet the thresholds for CCPA coverage and, if so, ensure they can respond to consumer rights requests. The law includes exceptions for certain types of processing, including some that may apply to tax return preparation, but careful analysis is necessary.

Virginia, Colorado, and Other State Laws

Virginia's Consumer Data Protection Act and Colorado's Privacy Act joined California's law as early comprehensive state privacy laws. Many other states have since followed, including Connecticut, Utah, Texas, Florida, Oregon, and others. Each law has its own effective date, coverage thresholds, and specific requirements.

Common elements across these laws include requirements for privacy notices, consumer rights mechanisms, data security obligations, and restrictions on certain data uses. However, the specifics vary significantly, making multi-state compliance challenging.

Professional Exceptions and Considerations

Many state privacy laws include exceptions for data regulated by other frameworks. For example, data collected and processed in accordance with the Gramm-Leach-Bliley Act (which includes the Safeguards Rule applicable to tax preparers) may be exempt from some state law requirements. However, these exceptions are not uniform, and their application requires careful legal analysis.

Even where exceptions apply, following privacy best practices strengthens your overall compliance posture. Understanding what data you collect, why you collect it, how you use it, and how you protect it positions you well regardless of which specific laws apply.

Data Breach Notification Laws

Beyond comprehensive privacy laws, every state has data breach notification laws requiring businesses to notify affected individuals (and sometimes regulators) when a security breach exposes personal information. The specific definitions of what constitutes a breach, what information triggers notification, and how quickly notification must occur vary by state.

If you experience a breach affecting clients in multiple states, you may need to comply with multiple notification requirements simultaneously. Having an incident response plan that accounts for the most stringent requirements ensures you can meet all obligations.

Practical Compliance Steps

Start by understanding your data practices. What personal information do you collect? Where does it come from? How is it stored and protected? Who has access? How long do you keep it? This foundational knowledge supports compliance with any privacy law.

Review your privacy notices to ensure they accurately describe your practices. If you serve clients in states with comprehensive privacy laws, include disclosures required by those laws. Implement procedures to respond to consumer rights requests within the required timeframes.

Staying Current

The state privacy landscape continues to evolve rapidly. New laws are enacted, existing laws are amended, and regulatory guidance clarifies requirements. Staying informed requires ongoing attention—whether through professional associations, legal counsel, or industry publications.

Consider privacy compliance an ongoing program, not a one-time project. Regular reviews of your practices, updates to documentation, and staff training ensure you remain compliant as requirements evolve and your practice changes.