Privacy Law Recap 2025—State Comprehensive Consumer Privacy Laws

The state privacy law landscape in 2025 remained highly dynamic, even though no new states enacted omnibus privacy laws for the first time in years. 

Sweeping amendments and regulatory developments raised the compliance bar, continuing the momentum toward stronger consumer protections, particularly with respect to sensitive data and the data of kids and teens. State agencies also advanced rulemaking proceedings, with California’s finalized regulations setting new compliance benchmarks. This recap highlights key developments to help organizations assess their privacy programs and prepare for what comes next. 

Eight Laws Took Effect in 2025  

Eight state comprehensive consumer privacy laws became operative in 2025, almost doubling the number of states with effective laws. Of these, Maryland and Minnesota stand out for imposing unique or more rigorous requirements on businesses. 

For example, Minnesota’s law introduces several obligations that go beyond other statutes, including:   

• Documentation requirements. Businesses must create and maintain formal data inventories and robust internal documentation, including a description of policies and procedures for compliance and the identification of a chief privacy officer.  
• Additional consumer rights. In addition to access, correction, deletion, and opt-out rights, under the Minnesota law, consumers have rights to (a) know specific third-party recipients of their data (a requirement first introduced in Oregon) and (b) contest the results of profiling for legal or similarly significant decisions, including accessing the data used, rationale for the decision, and information on how to secure a different decision (similar to obligations imposed under California’s new regulations governing automated decision-making).  
• Small business obligations. While small businesses are generally exempt from the law, they are still prohibited from selling sensitive personal data without consent.  
• Minors. The law provides enhanced protections for teens, requiring consent for targeted advertising and the sale of personal data for minors between the ages of 13 and 16.
• Enforcement and cure period. The attorney general has sole enforcement authority under the law. The law provides a mandatory cure period, which expires on January 31, 2026. In addition, the Attorney General’s Office announced that the act included funding to hire four new lawyers and an investigator focused primarily on enforcement of the law. 

Meanwhile, Maryland’s law imposes some of the most stringent compliance obligations yet, such as:  

• Data minimization. Unlike most states, which restrict personal data collection based on the processing purposes disclosed to consumers, Maryland’s data minimization requirements limit collection to personal data that is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer to whom the data pertains. For sensitive data, Maryland deviates from opt-in models seen elsewhere and instead prohibits collection, processing, or sharing of sensitive data unless strictly necessary for the requested product or service and imposes an outright ban on the sale of sensitive data.  
• Health data. The law provides expanded protections for “consumer health data,” which is broadly defined to capture personal data that identifies a consumer’s physical or mental health status. Taking a page from Washington’s My Health My Data Act and similar laws adopted in other states, the law prohibits selling or offering to sell consumer health data without the individual's consent and use of certain geofencing technologies that identify, track, collect data from, or send notification to consumers about their consumer health data.  
• Minors. The law provides robust protections for minors, prohibiting the sale of personal data and targeted advertising for minors under 18 without any opt-in exception.
• Enforcement and cure period. The attorney general has exclusive enforcement power and has discretion to grant a cure period for violations until April 1, 2027. 

The remaining laws that took effect in 2025 largely follow existing frameworks with some distinctions. For example:  

• Iowa’s law provides more limited consumer rights and a permanent 90-day cure period for violations.
• Delaware’s law specifies pregnancy as an explicit category of sensitive data and sets a higher threshold age for teen protections than many states, requiring opt-in consent for targeted advertising and the sale of data for individuals under 18.
• Nebraska, like Texas and Minnesota, requires otherwise exempt small businesses to obtain consent to sell sensitive data.
• Tennessee is one of the few states to establish a revenue threshold ($25 million) in addition to a processing threshold, limiting the law’s applicability. In addition, Tennessee’s law provides a unique affirmative defense safe harbor for businesses that comply with the National Institute of Standards and Technology Privacy Framework or other documented privacy standards but also allows treble damages for knowing or willful violations.  
• New Jersey stands out as one of the few states granting agency rulemaking authority, and proposed rules released this year may potentially add significant compliance mandates if passed (see below for more information).   

Significant Amendments—Expanded Scope and New Obligations 

Nine states strengthened their existing frameworks through amendments in 2025, including sweeping changes in Connecticut and Montana.  Some notable developments include: 

• Expanded applicability. Connecticut and Montana both reduced their processing thresholds for applicability and narrowed Gramm-Leach-Bliley Act (GLBA) exemptions from entity-level to data-level. Specifically, Connecticut now applies to businesses that control or process any amount of sensitive data (excluding payment transactions) or offer any personal data for sale. In Montana, previously exempt nonprofits may now be subject to the law and certain obligations apply to businesses offering online products, services, or features to minors regardless of thresholds.
• Broader scope of sensitive data. Connecticut expanded the definition of sensitive data to include neural, financial account, and other data. Colorado joined all other states to expressly include precise geolocation as a category of sensitive data. Oregon banned the sale of precise geolocation data, and its law reflects the same broad definition of “sale” as that reflected in the California Consumer Privacy Act (CCPA).
• Increased obligations for profiling and automated decision-making. Connecticut and Montana broadened consumer opt-out rights related to profiling, allowing opt-out for profiling in furtherance of decisions that are not “solely” automated. Connecticut is now one of the few states to give consumers the right to challenge certain profiling results, as well as receive the rationale and review inputs, with additional correction and re‑evaluation rights for housing decisions. Connecticut’s amendment also introduces an “impact assessment” obligation for profiling used in significant decisions and when profiling minors, distinct from general data protection assessments.
• Consumer rights and privacy notices. Montana and Connecticut laws now require additional disclosures and more user-friendly and accessible formats for privacy notices. Among other things, Connecticut law requires controllers to disclose whether they collect, use, or sell personal data for training large language models. In addition, Connecticut consumers now have a right to request a list of third parties to whom a controller has sold personal data.
• Browser-level opt-out preference signal. California’s Opt Me Out Act, effective Jan. 1, 2027, requires browser developers to provide settings for consumers to enable opt-out preference signals that automatically communicate the consumer’s choice to opt out of sale or sharing to websites. The amendment allows for rulemaking to implement the requirements.
• Heightened protections for minors. Many states, including Connecticut, Montana, and Oregon, amended their laws to introduce additional requirements for minors’ data. For example: (1)  Connecticut’s amended law bans selling personal data and targeted advertising for minors under 18, eliminating the previous option for opt-in consent; (2) Montana introduced a duty of care for minors, consent requirements, and specific risk assessment obligations; and (3) Oregon’s law now prohibits targeted advertising, sale, and profiling in furtherance of significant decisions for consumers under 16 with no option to obtain consent.  

In addition to the above, various amendments that were enacted in 2024 took effect in 2025. For example, Colorado’s amendment establishing disclosure, consent, retention, and other obligations surrounding biometric data and biometric identifiers became operative. In California, neural data was added as a category of sensitive data. 

For additional details on some of these amendments, please see our mid-year recap.  

Rulemaking Updates 

Regulatory activity was a defining force in the evolution of U.S. privacy law in 2025, with California’s adoption of new regulations standing out as one of the year’s most consequential developments. These regulations establish new benchmarks for compliance, introducing mandatory reporting requirements and raising expectations for organizational accountability. California’s leadership in this area may influence privacy practices nationwide, as other states look to these standards for future legislation and rulemaking. 

California 

The California Privacy Protection Agency (now operating under the name CalPrivacy) finalized regulations on cybersecurity, risk assessment, and automated decision-making technology (ADMT) requiring businesses to adopt rigorous new protocols for CCPA compliance. Key requirements include: 

• Cybersecurity audits. Businesses meeting “significant risk” thresholds must conduct annual cybersecurity audits, with detailed documentation, reporting, and executive certification requirements.  
• Risk assessments. Businesses are required to perform and document risk assessments for activities presenting significant privacy risks (such as the use of sensitive data and AMDT). Assessments must meet prescriptive content requirements and businesses must submit executive-signed attestations of completion to CalPrivacy.
• ADMT. New obligations apply to businesses using ADMT that replaces or substantially replaces human decision-making for certain legal or similarly significant decisions. Among other things, businesses must provide a pre‑use notice, update privacy policies, honor access/opt‑out rights, and prepare to supply explanations of outputs and their role when using ADMT to make such decisions.  

The regulations also introduce insurance-specific guidance and clarify and strengthen existing obligations around consumer notices, consent mechanisms, opt-out preference signals, consumer rights, request procedures, and contractual requirements for service providers/contractors. 

Colorado

The Colorado Attorney General’s rules to implement amendments strengthening protections for minors were finalized and published in the Colorado Register. The rules establish factors in determining when a controller will be deemed to “willfully disregard” a minor’s status, expanding on the relevant knowledge standard. They also provide examples of “system design features” that increase, sustain, or extend use and are subject to consent requirements and identify scenarios likely outside scope. The rules recognize that a minor’s enabling of such a feature that is off by default can constitute valid consent.    

New Jersey Proposed Rules 

In June 2025, New Jersey’s Office of the Attorney General issued proposed rules to operationalize the state’s privacy law. The proposed rules would impose robust requirements. These include refreshed consumer consent when they have not interacted with the controller for 24 months in certain contexts, detailed data inventory with storage and access mapping, immediate deletion of sensitive data upon consent withdrawal, enhanced data protection assessments, detailed loyalty program notices, and expansive dark‑pattern prohibitions. The proposed rules would also make clear that “personal data” includes a list of elements that, when combined with other information, may make data reasonably linkable to an identifiable person. The Office of the Attorney General announced that a summary of public comments and agency responses will be published in a Notice of Adoption, expected in 2026, and that rules will become final upon publication of the notice. 

Conclusion 

The 2025 developments in state comprehensive consumer privacy laws continued the trajectory of heightened expectations for business transparency, documentation, and accountability. States have adopted prescriptive requirements for processing involving sensitive data, minors, and automated decision-making or profiling. Consumer rights continued to extend beyond traditional access, correction, and deletion rights to include more granular rights regarding profiling and automated decision-making when used for certain purposes, greater transparency around third‑party data recipients, and more consumer-friendly opt‑out mechanisms, including browser-level signals. In this increasingly complex landscape, businesses should consider taking the necessary steps to ensure their privacy programs meet these new requirements and continue to monitor enforcement activity.  

This post is part of a series recapping privacy law developments in 2025. Please see the following updates for further information:

Privacy Law Recap 2025—Data Security

Privacy and Data Security Recap 2025—National Security