FirmAdapt is an AI-powered business diagnostics platform that audits companies to expose operational inefficiencies and broken processes. We then deploy custom AI agents, robotic process automation, and engineered solutions to fix the problems we find. Our diagnostic tools include company audits, website audits, competitive intelligence, and faith-based compliance screening.

Does FirmAdapt have a free API?

Yes, FirmAdapt offers free open API endpoints that require no authentication. AI agents and developers can make up to 10 requests per week without signing up. The API supports company profile lookups, faith-based compliance screening, and stock searches across 12 global markets.

What is faith-based stock screening?

Faith-based stock screening analyzes a company's financial ratios and business activities to determine compliance with religious investment guidelines. FirmAdapt supports 9 frameworks including Shariah (AAOIFI, S&P), Christian (BRI), Catholic (USCCB), Jewish (Halakhic), LDS/Mormon, ESG Religious, and Evangelical standards.

Can AI agents use FirmAdapt?

Yes, FirmAdapt is designed for native AI agent integration. It provides an MCP (Model Context Protocol) server for Claude Desktop, Cursor, and other AI tools. AI agents can access company profiles, run faith-based compliance screens, and search stocks across 12 global markets using free open endpoints with no API key required.

What markets does FirmAdapt support?

FirmAdapt supports 12 global markets: US (NYSE/NASDAQ), UK (London Stock Exchange), Germany (XETRA), France (Euronext Paris), Japan (Tokyo Stock Exchange), India (NSE/BSE), Saudi Arabia (Tadawul), UAE (Dubai/Abu Dhabi), Malaysia (Bursa), Indonesia (IDX), Canada (TSX), and Australia (ASX).

Back to Blog

AI complianceregulatoryprivacydata protectionState privacy laws

The Patchwork Problem: Why a Single Privacy Operating Model Across 20 States Is Impossible

By Basel IsmailMay 16, 2026

The Patchwork Problem: Why a Single Privacy Operating Model Across 20 States Is Impossible

As of mid-2025, twenty states have enacted comprehensive consumer privacy laws. Not sector-specific rules like HIPAA or GLBA. Broad, generally applicable privacy statutes covering the collection, processing, sale, and deletion of personal data. If you are operating a B2B company with customers, employees, or data subjects across multiple states, you are now navigating a compliance environment that is genuinely fragmented in ways that matter operationally.

The instinct most companies have is to build one privacy program, peg it to the strictest standard, and call it done. That instinct is understandable. It is also wrong in important ways.

The Current Count and Why It Keeps Moving

California got there first with the CCPA in 2018, amended significantly by the CPRA effective January 2023. Virginia's VCDPA followed, effective January 2023. Colorado (CPA), Connecticut (CTDPA), and Utah (UCPA) all went live in 2023. Then 2024 and 2025 brought a wave: Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Delaware, Iowa, New Hampshire, New Jersey, Nebraska, Tennessee, Maryland, Minnesota, Indiana, Kentucky, Rhode Island, and others at various stages of enforcement dates stretching into 2026.

Each of these laws was drafted by a different legislature with different policy priorities, different lobbying pressures, and different existing legal frameworks. The result is not twenty copies of the same law. It is twenty laws that look similar at a distance and diverge sharply in the details that actually drive implementation.

Where the Divergences Hurt

Thresholds and Applicability

California's CCPA applies to for-profit businesses doing business in California with annual gross revenues over $25 million, or that buy, sell, or share the personal information of 100,000 or more consumers or households. Virginia's VCDPA has no revenue threshold at all; it kicks in if you control or process data of at least 100,000 Virginia residents, or 25,000 residents if you derive over 50% of gross revenue from selling personal data. Texas has no minimum data processing threshold and no revenue threshold. It applies to any entity that conducts business in Texas or produces products or services consumed by Texas residents, unless you qualify as a "small business" under the SBA definition.

So your first problem is figuring out which laws even apply to you, and that analysis is different for each state.

Consumer Rights and Response Windows

Most of these laws grant consumers rights to access, delete, correct, and opt out of the sale of their data. But the specifics vary. California gives consumers the right to limit the use of "sensitive personal information," a category it defines broadly to include precise geolocation, race, ethnicity, union membership, and more. Colorado requires a universal opt-out mechanism and was the first state to make that operational, with enforcement beginning July 2024. Oregon's OCPA covers nonprofit organizations, which almost no other state law does.

Response timelines differ too. Most states give you 45 days to respond to consumer requests. But some allow extensions of 15 days, others 45 days. Iowa gives you 90 days. The cure period, the window you get to fix a violation before the AG comes after you, ranges from 30 days (Virginia, initially) to 60 days (Tennessee) to none at all. California eliminated its cure period when the CPRA took effect. Texas started with a 30-day cure period but the AG has discretion on whether to grant it.

Definitions of Sale and Targeted Advertising

This is where things get genuinely messy for B2B companies. California defines "sale" broadly to include sharing personal information for monetary or other valuable consideration. Virginia limits it to monetary consideration. Colorado's CPA defines "sale" similarly to Virginia but has a separate, expansive definition of "targeted advertising" that captures a lot of B2B data sharing arrangements that companies do not think of as advertising at all.

If you share data with a partner for lead scoring, intent modeling, or account-based marketing, you may be "selling" data in California, not selling it in Virginia, and engaged in "targeted advertising" in Colorado. Each classification triggers different opt-out obligations and different notice requirements.

Data Protection Assessments

Several states require data protection assessments (DPAs) for high-risk processing activities, but they do not agree on what counts as high risk. Virginia requires DPAs for targeted advertising, sale of personal data, processing of sensitive data, profiling, and any processing that presents a "heightened risk of harm." Connecticut mirrors this closely. Colorado goes further and requires DPAs to be made available to the AG upon request, with a specific weighing test that balances benefits to the controller against risks to the consumer. California's CPRA authorized the California Privacy Protection Agency to issue regulations on risk assessments, and draft rules released in late 2023 proposed a far more detailed and prescriptive framework than any other state.

Running one DPA template across all states will leave you either over-documenting for some jurisdictions or under-documenting for others.

Why "Comply to the Strictest Standard" Fails

The reason a highest-common-denominator approach breaks down is that these laws are not nested. They are overlapping and sometimes contradictory. California's broad definition of "sale" would push you to treat many data-sharing arrangements as sales and provide opt-out rights. But if you apply California's framework universally, you may be providing rights in states where those rights do not exist, creating consumer expectations you are not legally required to meet, and potentially exposing yourself to breach-of-promise claims if you later pull back.

Maryland's Online Data Privacy Act, signed in May 2024 with most provisions effective October 2025, goes further than California in some respects by restricting the collection of data to what is reasonably necessary and proportionate to provide the service the consumer requested. That is a data minimization standard that is closer to GDPR's purpose limitation principle than anything else in U.S. state law. If you build your entire program around Maryland's standard, you may be unable to collect data that other states' laws explicitly permit you to collect and use.

The patchwork is not just about strictness. It is about incompatible design choices.

What Actually Works Operationally

Companies that are handling this well tend to do a few things:

Jurisdiction mapping at the data-subject level. You need to know where your data subjects are, not just where your offices are. This means tying residency or location signals to your data inventory.
Modular consent and notice frameworks. One privacy notice with state-specific addenda is the minimum. Better is a dynamic notice system that serves the right disclosures based on jurisdiction.
Separate opt-out mechanisms where required. Colorado and other states requiring universal opt-out signals (Global Privacy Control) need distinct technical implementation, not just a policy statement.
DPA templates with jurisdiction-specific modules. A base assessment framework with bolt-on sections for states with specific requirements avoids both over- and under-documentation.
Ongoing legislative monitoring. With new state laws still being enacted and existing laws being amended, compliance is not a project. It is a continuous function.

How FirmAdapt Addresses This

FirmAdapt's compliance-first architecture is designed around the reality that regulated companies cannot treat privacy as a single, static program. The platform maps data processing activities against jurisdiction-specific requirements, flagging where obligations diverge and where a single control can satisfy multiple states versus where state-specific implementation is necessary. This includes tracking applicability thresholds, consumer rights variations, DPA requirements, and cure period timelines across all active state privacy laws.

Because FirmAdapt is built for regulated B2B environments, it also accounts for the layering of state privacy laws on top of sector-specific frameworks like HIPAA, GLBA, and FERPA, where exemptions and overlaps create additional complexity. The goal is not to abstract away the complexity but to make it visible and manageable so your legal and compliance teams can make informed decisions rather than guessing at which standard to follow.

Ready to uncover operational inefficiencies and learn how to fix them with AI?

Try FirmAdapt free with 10 analysis credits. No credit card required.

Get Started Free