State Privacy Laws: Where Enforcement Is Strongest

The federal Wiretap Act (18 U.S.C. § 2511–2522) sets a floor, not a ceiling. States have been adding their own privacy and wiretap laws on top of it--more causes of action, steeper penalties, and more aggressive prosecutors. If you collect data across state lines, this patchwork matters.

Some states have made enforcement a real priority. Knowing which ones can save your company millions in liability.

Federal Floor, State Walls

The federal Wiretap Act says you can't intercept wire, oral, or electronic communications without consent. Congress made it a baseline. The Supremacy Clause allows states to go further, and most do.

When state law is stricter than federal law, you're liable under both. Not one or the other. Both.

The Eleven All-Party Consent States

These eleven states require everyone in a conversation to consent to recording or monitoring. They're brutal to defend:

• California (Cal. Penal Code § 632)
• Florida (Fla. Stat. § 934.03)
• Illinois (740 ILCS 25/1 et seq.)
• Maryland (Md. Code, Crim. Law § 3-602)
• Massachusetts (Mass. Gen. Laws c. 272, § 99)
• Montana (Mont. Code Ann. § 45-8-213)
• New Hampshire (N.H. Rev. Stat. Ann. § 570-A:2)
• Pennsylvania (18 Pa. Cons. Stat. § 5702)
• South Dakota (S.D. Codified Laws § 22-21-1)
• Washington (Wash. Rev. Code § 9.73.030)
• West Virginia (W. Va. Code § 62-1-2)

One party recording without everyone else's blessing? That's a violation. Period.

The Four Worst Offenders

California: Private Right of Action, Scaled Damages. California's Invasion of Privacy Act (Cal. Penal Code § 632) is aggressive. The statute allows private lawsuits with damages up to three times actual damages or $5,000 per violation--whichever is higher. Scale that across thousands of calls and the math gets ugly fast. California's AG office isn't sleeping either. In 2022, the office settled with a major tech company over location tracking--a sign that enforcement has moved beyond phone calls into app-based surveillance.

Reference: Cal. Penal Code § 632

Illinois: BIPA and the Per-Violation Model. The Biometric Information Privacy Act (740 ILCS 14) focuses on fingerprints, face recognition, iris scans. Illinois courts interpreted it as strict liability--statutory damages of $1,000 to $5,000 per violation, no proof of harm required. Courts there have been consistent on this, making Illinois the model state for privacy litigation. The state's general wiretap law (740 ILCS 25) applies the same theory to non-biometric surveillance.

References: 740 ILCS 14 (BIPA), 740 ILCS 25 (Wiretap)

Massachusetts: The Strictest in the Country. Massachusetts criminalizes surveillance device use to observe or record anyone--even in public, without consent. Five years in prison. $10,000 fine. The courts interpret it broadly. The state's AG office enforces it aggressively, going after location tracking and app surveillance. Massachusetts has become a flashpoint for digital privacy enforcement.

Reference: Mass. Gen. Laws c. 272, § 99

New York: Consumer Protection Angle. New York is one-party consent, so recording is allowed if one person knows. But the state's AG has gotten creative, using the Consumer Protection Act (N.Y. Gen. Bus. Law § 349) to treat privacy violations as deceptive business practices. The office has brought cases against tech companies for unauthorized tracking pixels, location harvesting, and cookie collection, opening a different lane for enforcement.

References: New York AG Internet Bureau; Consumer Protection Act § 349

Other High-Risk States

Texas (Tex. Penal Code § 16.02) allows statutory damages and the AG has been cracking down on location tracking. Statute

Georgia (O.C.G.A. § 34-11-2) has a wiretap statute with serious damages; the AG's office is now targeting app-based surveillance. Statute

Michigan (MCL 750.539) requires all-party consent. State courts have been receptive to statutory damages claims. Statute

Connecticut (Conn. Gen. Stat. § 53a-187) combines all-party consent with civil liability; the AG has filed cases recently. Statute

Ohio (Ohio Rev. Code § 2933.52) all-party consent, recently tightened. Statute

Data Broker Laws and Privacy Notice Requirements

Beyond wiretap statutes, states have added rules for data brokers and privacy notices:

Vermont (6 V.S.A. § 4726) requires data broker registration and enforces it the hardest of any state. New York (N.Y. Gen. Bus. Law § 599-i) mandates "reasonable security" and the AG has used this to bring cases. California's CCPA (Cal. Civ. Code §§ 1798.100–1798.199) is a detailed privacy statute with a private right of action; it covers tracking pixels, cookies, and location data.

Reference for California: California Attorney General - CCPA Regulations

What AGs Are Actually Targeting

State attorneys general have shifted focus. They're going after:

• Tracking pixels and web beacons deployed without notice or consent
• Cookie harvesting--collecting identifiers without explicit user approval
• Location data from apps or geofencing without clear disclosure
• Privacy policies that promise protections nobody's actually implementing

The FTC issued guidance on tracking technologies, and state AGs now cite it in their cases. FTC Report on Social Media and Video Streaming is a good baseline for what regulators see as problematic.

The Math of Multi-State Operations

Operating nationally? The exposure compounds.

One tracking pixel across 50 states invites claims under multiple statutes. A practice affecting 100,000 users in all-party consent states could theoretically generate $500 million to $5 billion in liability (per-violation damages × number of users). Even one call recording in the wrong state carries $5,000 minimum statutory damages.

What You Actually Need to Do

1. Map your data practices to state law. Which states' rules apply to each data collection activity?
2. Use the strictest standard for everything. If you're designing systems, build to all-party consent standards even if you operate mostly in one-party states. Easier than managing 50 different configurations.
3. Document consent. Create audit trails showing when and how users consented to tracking, recording, or monitoring.
4. Check your third parties. Tracking pixels, analytics platforms, CRM vendors--verify they comply with state law.
5. Watch AG offices. Follow what California, New York, Massachusetts, and Illinois are doing. The pattern spreads.

State enforcement is accelerating. Attorneys general are hiring experts on digital surveillance. This isn't a soft-compliance area anymore.