In the first six months of 2019, U.S. state legislatures or regulatory agencies have brought into force more consumer‐centric data protection laws than in all of 2018. Noteworthy among these laws are (1) Oregon’s Internet of Things (IoT) law, the second in the nation; (2) Nevada’s prohibition of sales of personal information by website operators or “CCPA lite,” and (3) Maine’s prohibition of sales of customer personal information by Internet Service Providers (ISPs).